chainguard-dev
fix: allow running docker runner as non-root user
Melange Pull Request Template
Functional Changes
- [ ] This change can build all of Wolfi without errors (describe results in notes)
Notes:
SCA Changes
- [ ] Examining several representative APKs show no regression / the desired effect (details in notes)
Notes:
Linter
- [ ] The new check is clean across Wolfi
- [ ] The new check is opt-in or a warning
Notes:
Do you have a recreate on this ? https://github.com/chainguard-dev/melange/pull/1649 landed and "fixed" a trivial case, that is described with recreate in https://github.com/chainguard-dev/melange/issues/1254 .
Also, can you clarify "allow running docker runner as non-root user"? On the workstation setups, I run as user 1000 and can build lots of packages with the docker runner. the docker runner there does run privileged.
I was having issues with building emissary with docker runner due to error
failed to build package: mkdir /tmp/melange-workspace-230936390/melange-out: permission denied
Using this proposed branch resolves this issue.
I've noticed the opposite: in a normal (or dare I say lazy?) docker installation where docker is running as root, melange fails. Some CI pipelines seem to do this. The build process seems to write several directories into /tmp called melange-workspace-XXXXXXXX, all with 700 permissions, and some of them end up getting owned by root:root after docker runs. And then when melange runs lint towards the end of the build process it's unable to access those directories. The simple fix is to run melange with sudo. I don't love it though. You can get a little further if you set --lint-require "", but then you hit the same error with SBOMs:
2025/01/30 09:32:29 ERRO failed to build package: writing SBOM for vllm: creating SBOM directory: mkdir /tmp/melange-workspace-191365054/melange-out: permission denied
And then running this branch results in a seg fault instead when it hits the linting process:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x15e2d9a]
goroutine 84 [running]:
chainguard.dev/melange/pkg/linter.init.allPaths.func4.1({0x20212f8, 0x1}, {0x0, 0x0}, {0x160e08d?, 0xc008b89f80?})
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/linter/linter.go:66 +0x7a
io/fs.WalkDir({0x202d8a0, 0xc00cc0b000}, {0x20212f8, 0x1}, 0xc00f6064b0)
/home/ci/go/pkg/mod/golang.org/[email protected]/src/io/fs/walk.go:120 +0xc3
chainguard.dev/melange/pkg/linter.init.allPaths.func4({0x20564c8?, 0xc0004f6960?}, {0x1d843d6?, 0x6?}, {0x202d8a0?, 0xc00cc0b000?})
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/linter/linter.go:62 +0x72
chainguard.dev/melange/pkg/linter.lintPackageFS({0x20564c8, 0xc0004f6960}, {0xc0002c44ac, 0x4}, {0x202d8a0, 0xc00cc0b000}, {0xc000212360?, 0x1d8c4c9?, 0x8a11ad?})
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/linter/linter.go:549 +0x1f7
chainguard.dev/melange/pkg/linter.LintBuild({0x20564c8, 0xc0004f6960}, {0xc0002c44ac, 0x4}, {0xc000ec0880, 0x32}, {0xc000212240, 0x4, 0x11}, {0xc000212360, ...})
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/linter/linter.go:576 +0x185
chainguard.dev/melange/pkg/build.(*Build).BuildPackage(0xc000533108, {0x20564c8, 0xc0003bb2c0})
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/build/build.go:906 +0x3057
chainguard.dev/melange/pkg/cli.BuildCmd.func1()
/home/ci/go/src/github.com/wojciechka/chainguard-dev-melange/pkg/cli/build.go:371 +0x594
golang.org/x/sync/errgroup.(*Group).Go.func1()
/home/ci/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1
/home/ci/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:75 +0x96
