docker-lambda
docker-lambda copied to clipboard
lambci
Bundler install breaks builds for non-root users
The installation of bundler as root from #145 has broken bundler functionality for non-root users.
Reproduction: as root:
$ docker run --rm -ti lambci/lambda:build-ruby2.5 bundle -v
Bundler version 1.17.2
As non-root:
$ docker run --rm -ti --user ec2-user lambci/lambda:build-ruby2.5 bundle -v
Traceback (most recent call last):
3: from /var/lang/bin/bundle:10:in `<main>'
2: from /var/lang/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:39:in `require'
1: from /var/lang/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:135:in `rescue in require'
/var/lang/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:135:in `require': cannot load such file -- bundler (LoadError)
Could we perhaps install bundler as a non-root user in the dockerfile? (using runuser if necessary), or fix the permissions as a secondary step?
This command as root (run inside the container)
find /var/lang -type d ! -perm -o=r -exec chmod a+rx {} \;
fixes the issue, and allows
runuser -u ec2-user -- bundle -v
to work. Seems all the directories created when bundler is installed have incorrect permissions (ie, only root has read and execute on the directories - the files seem correct).
Perhaps changing the umask before installing bundler would solve this.
Yes - the build process produces artefacts that I don't want to be owned by root.
Also, it better mimics the runtime environment to be not running as root.
This all worked fine before the installation of bundler in the dockerfile. I've just tried setting umask 022 in the dockerfile and this seems to fix the issue. I"ll raises a PR
Actually, I'll retract that. I cannot reproduce locally, using ruby2.5/build/Dockerfile from master (unmodified)
The built image does not have the same issues as the images pulled from the docker repo lambci/lambda:build-ruby2.5
Can anyone else confirm this is the case?