search

docker / for-mac

Bug reports for Docker Desktop for Mac
https://www.docker.com/products/docker#/mac
2.44k stars 118 forks source link

Rosetta adds a cache folder owned by root in user directory #7440

Open hadim opened 1 month ago

hadim commented 1 month ago

Description

Rosetta adds a cache folder owned by root in user directory. It prevents the cache folder to be used by a regular user since it does not have the write permissions for it.

Reproduce

On macOS:

$ docker run --rm -ti quay.io/condaforge/linux-anvil-cos7-x86_64:latest ls -la /home/conda/.cache
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
total 12
drwxr-xr-x 3 root  root  4096 Oct  1 22:28 .
drwx------ 3 conda conda 4096 Oct  1 22:28 ..
drwxr-xr-x 2 root  root  4096 Oct  1 22:28 rosetta

If you execute the same on a Linux machine (Linux host), you will notice the cache folder is not here.

Expected behavior

This cache folder should not be here, or it should have the correct permissions set.

docker version

Client:
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:14:45 2024
 OS/Arch:           darwin/arm64
 Context:           default

Server: Docker Desktop 4.34.2 (167172)
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:41 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.2.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2-desktop.1
    Path:     /Users/hadim/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.2-desktop.2
    Path:     /Users/hadim/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/hadim/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.15
    Path:     /Users/hadim/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/hadim/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/hadim/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/hadim/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/hadim/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/hadim/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.13.0
    Path:     /Users/hadim/.docker/cli-plugins/docker-scout

Server:
 Containers: 8
  Running: 0
  Paused: 0
  Stopped: 8
 Images: 4
 Server Version: 27.2.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.4-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 16
 Total Memory: 35.18GiB
 Name: docker-desktop
 ID: 6ef71588-fd89-4779-a736-0af984b4c700
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/hadim/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

61903BA2-5911-4DBA-9210-D49AF02C57BF/20241001223041

Additional Info

No response

farvour commented 1 week ago

This problem also showed up for us too. I used dive to inspect at which layer it arrived, and it is in the one where we install a bunch of extra apt packages into our self-hosted runner image.

It got noticed in self-hosted GitHub runner builds, and as a workaround, since I can't seem to make the file actually go away, I moved a rm statement towards the bottom:

# macOS on Apple virtualization w/ x86 creates this junk file which gets owned by root further up.
# It'll get re-created, but as USER runner after the next directive so hopefully should not cause permission issues.
RUN rm -rf /home/runner/.cache

# Change back to the original runner user.
USER runner

Not sure which one it is yet, but, here's the list that triggers the file to get created, and stick around for the rest of the build:

RUN echo "=== Installing extra packages" \
    && echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee -a /etc/apt/sources.list.d/pgdg.list \
    && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
    && add-apt-repository ppa:ubuntugis/ppa \
    && apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -yy --no-install-recommends \
    antiword \
    automake \
    autotools-dev \
    awscli \
    binutils \
    build-essential \
    ca-certificates \
    curl \
    default-jre \
    ffmpeg \
    gettext-base \
    ghostscript \
    git \
    gnutls-bin \
    gosu \
    htop \
    iotop \
    jq \
    less \
    libasound2 \
    libct4 \
    libde265-0 \
    libde265-dev \
    libffi-dev \
    libgbm-dev \
    libgconf-2-4 \
    libgcrypt20-dev \
    libgnutls28-dev \
    libgs-dev \
    libgtk-3-0 \
    libgtk2.0-0 \
    libltdl-dev \
    libmagic-dev \
    libmagic1 \
    libnotify-dev \
    libnss3 \
    libp11-kit-dev \
    libpng-dev \
    libpq-dev \
    libreoffice \
    librsvg2-bin \
    libsnappy-dev \
    libsqlite3-dev \
    libtasn1-6-dev \
    libtiff-dev \
    libtool \
    libunbound-dev \
    libunistring-dev \
    libxml2-dev \
    libxslt1-dev \
    libxss1 \
    libxtst6 \
    nettle-bin \
    nettle-dev \
    openssl \
    pkg-config \
    poppler-utils \
    postgis \
    postgresql-16-postgis-3 \
    postgresql-16-postgis-3-scripts \
    postgresql-client-16 \
    ruby \
    ruby-dev \
    software-properties-common \
    sqlite3 \
    telnet \
    tesseract-ocr \
    unixodbc \
    unixodbc-dev \
    unrtf \
    unzip \
    vim \
    wget \
    xauth \
    xmlsec1 \
    xvfb \
    yarn \
    zip \
    && rm -rf /var/lib/apt/lists/*

Docker information in case it helps:

Version

4.35.1 (173168)

Engine: 27.3.1

Compose: v2.29.7-desktop.1

Credential Helper: v0.8.2

Kubernetes: v1.30.2