From efdb92366b633f8ca573f31df7ff2ca1ac067980 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Tue, 5 Jul 2022 14:46:43 -0700 Subject: [PATCH 1/2] build: Fix clh source build as normal user While running make as non-privileged user, the make errors out with the following message: "INFO: Build cloud-hypervisor enabling the following features: tdx Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=cloudhypervisor%2Fdev&tag=20220524-0": dial unix /var/run/docker.sock: connect: permission denied" Even though the user may be part of docker group, the clh build from source does a docker in docker build. It is necessary for the user of the nested container to be part of docker build for the build to succeed. Fixes #4594 Signed-off-by: Archana Shinde --- .../kata-deploy/local-build/dockerbuild/Dockerfile | 7 ++++++- .../local-build/kata-deploy-binaries-in-docker.sh | 14 ++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile index 5514d9a640..06a4a93ac9 100644 --- a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile +++ b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile @@ -23,8 +23,13 @@ RUN apt-get update && \ ARG IMG_USER=kata-builder ARG UID=1000 ARG GID=1000 +# gid of the docker group on the host, required for running docker in docker builds. +ARG HOST_DOCKER_GID + RUN if [ ${IMG_USER} != "root" ]; then groupadd --gid=${GID} ${IMG_USER};fi RUN if [ ${IMG_USER} != "root" ]; then adduser ${IMG_USER} --uid=${UID} --gid=${GID};fi +RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then groupadd --gid=${HOST_DOCKER_GID} docker_on_host;fi +RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then usermod -a -G docker_on_host ${IMG_USER};fi RUN sh -c "echo '${IMG_USER} ALL=NOPASSWD: ALL' >> /etc/sudoers" #FIXME: gcc is required as agent is build out of a container build. @@ -40,4 +45,4 @@ RUN apt-get update && \ apt-get clean && rm -rf /var/lib/apt/lists ENV USER ${IMG_USER} -USER ${UID}:${GID} +USER ${IMG_USER} diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 4035ff9cbd..24d19c936f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -20,17 +20,27 @@ if [ "${script_dir}" != "${PWD}" ]; then ln -sf "${script_dir}/build" "${PWD}/build" fi +# This is the gid of the "docker" group on host. In case of docker in docker builds +# for some of the targets (clh builds from source), the nested container user needs to +# be part of this group. +docker_gid=$(getent group docker | cut -d: -f3 || { echo >&2 "Missing docker group, docker needs to be installed" && false; }) + +# If docker gid is the effective group id of the user, do not pass it as +# an additional group. +if [ ${docker_gid} == ${gid} ]; then + docker_gid="" +fi + docker build -q -t build-kata-deploy \ --build-arg IMG_USER="${USER}" \ --build-arg UID=${uid} \ --build-arg GID=${gid} \ + --build-arg HOST_DOCKER_GID=${docker_gid} \ "${script_dir}/dockerbuild/" docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ - --user ${uid}:${gid} \ --env USER=${USER} -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ - From e57a1c831ebc087ffdaaecdfe742a0133a7595b8 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Tue, 5 Jul 2022 14:58:10 -0700 Subject: [PATCH 2/2] build: Mark git repos as safe for build This is not an issue when the build is run as non-privilged user. Marking these as safe in case where the build may be run as root or some other user. Signed-off-by: Archana Shinde --- .../packaging/static-build/cloud-hypervisor/build-static-clh.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh b/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh index 82ad3b42b9..8cb1a6e79f 100755 --- a/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh +++ b/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh @@ -56,6 +56,7 @@ build_clh_from_source() { repo_dir="${repo_dir//.git}" rm -rf "${repo_dir}" git clone "${cloud_hypervisor_repo}" + git config --global --add safe.directory "$PWD/repo_dir" pushd "${repo_dir}" if [ -n "${cloud_hypervisor_pr}" ]; then