Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(docker-image): ensure base & cache dir at build time #32594

Merged

Conversation

Gabriel-Ladzaretti
Copy link
Collaborator

Changes

Create the default base and cache directories at docker image build time.
This will allow bind mounting cache assets without breaking the expected Renovate directory permissions at runtime.

This assumes that the ubuntu user is part of the root group, which is currently the case.

Context

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

tools/docker/Dockerfile Outdated Show resolved Hide resolved
rarkins
rarkins previously approved these changes Nov 18, 2024
tools/docker/Dockerfile Outdated Show resolved Hide resolved
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
@viceice viceice changed the title fix(image): ensure base & cache dir at docker image build time fix(docker-image): ensure base & cache dir at build time Nov 18, 2024
@viceice viceice added this pull request to the merge queue Nov 19, 2024
Merged via the queue into renovatebot:main with commit 1f71981 Nov 19, 2024
39 checks passed
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 39.20.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MathiasPius
Copy link

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.

I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.

Strange that it was working correctly before though...

@viceice
Copy link
Member

viceice commented Nov 19, 2024

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.

I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.

Strange that it was working correctly before though...

you should read major update release notes

@MathiasPius
Copy link

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.
I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.
Strange that it was working correctly before though...

you should read major update release notes

I only posted it here in case someone else stumbled upon it, it wasn't meant as a critique or a bug report in and of itself, but since you've taken it upon yourself to educate me, could you kindly point me to the major update release note that mentions this breaking change?

I've been using and upgrading Renovate from 37.* up to 39.20.5, and everything was working perfectly fine up until the 39.20.3.

@KUGA2
Copy link
Contributor

KUGA2 commented Nov 20, 2024

This changes breaks my renovate run, but for different but similar reasons. The error message is also:
Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase

We are running renovate in a Azure devops agent. We have a scheduled agent job. The yml pipeline looks like this:

resources:
  containers:
    - container: renovate
      image: .../renovate/renovate:39.20.4
      endpoint: pkg-docker@production
      options: --user 0

container: renovate

steps:
  - bash: /usr/local/sbin/renovate-entrypoint.sh
    displayName: Run Renovate
    env:
      # Global config
      RENOVATE_PLATFORM: azure
      ...

The first thing that might strike your attention is --user 0. This is necessary because azure devops does some user magic before the jobs begin. It calls groupadd (See) which it cant as user 'ubuntu'.
But thats not the cause of this issue, root has access to /tmp/renovate.

The "user magic" changes the active user of the container to the user of the agent. Therefore it is not ubuntu (uid=12021(ubuntu) gid=0(root) groups=0(root),999(docker),12021(ubuntu)) but AzDevOps_azpcontainer(uid=1001(AzDevOps_azpcontainer) gid=1001(AzDevOps_azpcontainer) groups=1001(AzDevOps_azpcontainer),999(docker),12022(azure_pipelines_sudo)).
That user does not have acces to /tmp/renovate, which is now: drwxrwxr-x 3 root root 4096 Nov 19 10:39 . (before it did not exist and /tmp has public permissions drwxrwxrwt 1 root root 4096 Nov 19 10:39 .).

I have found no good solution to this problem. I will probably no longer use container resources but run the container myself.

Downside: Manual docker run image:tag-version can not be updated by renovate :D. Container resources can.

@viceice
Copy link
Member

viceice commented Nov 20, 2024

please open new discussions to resolve your issues

@renovatebot renovatebot locked and limited conversation to collaborators Nov 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants