Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nodejsfunction/bundling: files bundled via Docker should be owned by the running user #32834

Open
2 tasks
rix0rrr opened this issue Jan 10, 2025 · 1 comment
Open
2 tasks

nodejsfunction/bundling: files bundled via Docker should be owned by the running user #32834

rix0rrr opened this issue Jan 10, 2025 · 1 comment
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-lambda-nodejs @aws-cdk/core Related to core CDK functionality feature-request A feature should be added or improved. help wanted We are asking the community to submit a PR to resolve this issue. p2

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 10, 2025
edited
Loading

Describe the feature

When running a bundling command in Docker (for example using NodejsFunction, but also other commands that do bundling in a Docker container), the generated files will be owned by whatever user the Docker daemon is running as.

Use Case

On MacOS, the Docker Desktop daemon is typically running as the user, and so files generated from bundling will be owned by the user, which is good.

On Linux, the Docker daemon is typically running as root, and so files generated from bundling will be owned by root. This means they cannot be cleaned up afterwards! This is a huge hassle, and has cost me a week debugging build failures on GitHub Actions.

The problem does not exhibit on CodeBuild, because on CodeBuild the user running the CDK CLI is root; but on GitHub Actions there is a specific runner user, distinct from root... and it is not allowed to touch files created by root.

Proposed Solution

chown() in the container will work, and the uids are the same between container and host (if I understand the situation correctly).

It's just that the container will most likely not have access to the host system's user database.

What we should do is to pass the current process' uid into the container, and inside the container chown all the files it created to the right uid. I'm like 90% confident this should work 😅 .

This should probably be implemented as part of the generic "run a bundling command in Docker" feature; it shows most commonly through the NodejsFunction construct, but that should not be the place to fix it. It applies to all Docker bundling commands.

Also, someone needs to go figure out what the story on Windows is, because I have no idea.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

Environment details (OS name and version, etc.)
@rix0rrr rix0rrr added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. @aws-cdk/core Related to core CDK functionality @aws-cdk/aws-lambda-nodejs p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 10, 2025
@github-actions github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Jan 10, 2025
@rix0rrr rix0rrr added the help wanted We are asking the community to submit a PR to resolve this issue. label Jan 10, 2025
@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jan 13, 2025

There's something in the code to do this already. I don't understand why it doesn't work on GitHub Actions though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-lambda-nodejs @aws-cdk/core Related to core CDK functionality feature-request A feature should be added or improved. help wanted We are asking the community to submit a PR to resolve this issue. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rix0rrr