bazel: `cockroachdb/bazel` Docker image shouldn't run builds as `root` #66162

rickystewart · 2021-06-07T22:02:19Z

We should adopt the same strategy we use in the cockroachdb/builder image to run builds as a non-root user so that generated artifacts aren't owned by root.

My naive attempt at doing this is breaking the build for some reason:

ERROR: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/rules_foreign_cc/toolchains/BUILD.bazel:71:10: TreeArtifact external/rules_foreign_cc/toolchains/make was not created
ERROR: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/rules_foreign_cc/toolchains/BUILD.bazel:71:10: BootstrapGNUMake external/rules_foreign_cc/toolchains/make [for host] failed: not all outputs were created or valid

The text was updated successfully, but these errors were encountered:

Adopt the same `autouseradd` script that we use in `cockroachdb/builder` to avoid creating these files as `root`. Also step down the permissions on some files that `bazci` creates -- they don't need to be so permissive any more. Consuming this for dev scenarios is a follow-up task -- I plan to integrate it with the `dev` helper tool. Closes cockroachdb#66162 Release note: None

66105: sql: remove MaybeUpgradeDependentOldForeignKeyVersionTables r=postamar a=ajwerner We should not need this anymore. At restore time we still upgrade the representation. All descriptors in the system should use the new format. Release note: None 66197: bazel: bazel builder image doesn't run builds as root r=rail a=rickystewart Adopt the same `autouseradd` script that we use in `cockroachdb/builder` to avoid creating these files as `root`. Also step down the permissions on some files that `bazci` creates -- they don't need to be so permissive any more. Consuming this for dev scenarios is a follow-up task -- I plan to integrate it with the `dev` helper tool. Closes #66162 Release note: None 66205: sqlproxyccl: do not inject error frame after connection hand off r=JeffSwenson a=JeffSwenson Fixes #66156 Previously, deny list and idle errors were communicated using error frames. This causes wire protocol corruption if the proxy is in the middle of proxying a reply frame. Now, the sqlproxy closes the connection without injecting an error frame. Communicating errors to the client after connection handoff could be done if the proxy inspects the reply stream and tracks the start/end of database reply frames. Release note: None 66207: build: quash remaining references to `msan` r=rail a=rickystewart This is no longer supported. Release note: None Co-authored-by: Andrew Werner <[email protected]> Co-authored-by: Ricky Stewart <[email protected]> Co-authored-by: Jeff Swenson <[email protected]>

Adopt the same `autouseradd` script that we use in `cockroachdb/builder` to avoid creating these files as `root`. Also step down the permissions on some files that `bazci` creates -- they don't need to be so permissive any more. Consuming this for dev scenarios is a follow-up task -- I plan to integrate it with the `dev` helper tool. Closes cockroachdb#66162 Release note: None Release justification:

rickystewart · 2021-08-27T19:04:17Z

I did more investigation into making this work. I have a draft at my fork, commit 8994446c722a7e3c02e0cf522d9169c6257b0bcf. A couple notes:

My naive approach (which mounted a directory on my macOS machine as a volume on the container) at first produced an error like this:

ERROR: An error occurred during the fetch of repository 'toolchain_cross_x86_64-unknown-linux-gnu':
   Traceback (most recent call last):
	File "/cockroach/build/toolchains/crosstool-ng/toolchain.bzl", line 2, column 30, in _impl
		rctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error extracting /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743/x86_64-unknown-linux-gnu.tar.gz to /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sysroot/usr/include/linux/netfilter_ipv6/ip6t_hl.h (Operation not permitted)
ERROR: Error fetching repository: Traceback (most recent call last):
	File "/cockroach/build/toolchains/crosstool-ng/toolchain.bzl", line 2, column 30, in _impl
		rctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error extracting /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743/x86_64-unknown-linux-gnu.tar.gz to /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sysroot/usr/include/linux/netfilter_ipv6/ip6t_hl.h (Operation not permitted)
ERROR: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/io_bazel_rules_go/BUILD.bazel:88:17: @io_bazel_rules_go//:cgo_context_data depends on @toolchain_cross_x86_64-unknown-linux-gnu//:toolchain in repository @toolchain_cross_x86_64-unknown-linux-gnu which failed to fetch. no such package '@toolchain_cross_x86_64-unknown-linux-gnu//': java.io.IOException: Error extracting /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743/x86_64-unknown-linux-gnu.tar.gz to /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/temp10405216992600102743: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/toolchain_cross_x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sysroot/usr/include/linux/netfilter_ipv6/ip6t_hl.h (Operation not permitted)

I did some investigation and determined that this folder netfilter_ipv6 has two files with identical names but different casing: ip6t_hl.h and ip6t_HL.h. So bazel can't decompress the former file because it would overwrite the latter. I tried to work around this by creating a case-sensitive apfs volume on my machine and mounting it on the same path. This was very slow but did avoid this problem.

However, progressing beyond that issue re-surfaced bazel: build on builder image fails on macOS if you mount /home/roach as a volume #66212 again.

ERROR: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/rules_foreign_cc/toolchains/BUILD.bazel:71:10: TreeArtifact external/rules_foreign_cc/toolchains/make was not created
ERROR: /home/roach/.cache/bazel/_bazel_roach/cc377fc379544923cc7508dd261e4a48/external/rules_foreign_cc/toolchains/BUILD.bazel:71:10: BootstrapGNUMake external/rules_foreign_cc/toolchains/make [for host] failed: not all outputs were created or valid

I don't have a workaround for this so we're still blocked.

Notably both of these issues are macOS-only. This wouldn't be a problem if we primarily had to support Linux.

Adopt the same `autouseradd` script that we use in `cockroachdb/builder` to avoid creating these files as `root`. Also step down the permissions on some files that `bazci` creates -- they don't need to be so permissive any more. Closes cockroachdb#66162 Release note: None Release justification: Non-production code change

69203: storage: update min version with store cluster version r=sumeerbhola a=jbowens Whenever the store cluster version key is updated, update the minimum storage version too. Fix #69116. Release note: None 69641: server: add SQL STATS COMPACTION to automatic job list r=maryliag,arulajmani,ajwerner a=Azhng Previously, SQL STATS COMPACTION job was not marked as automatic job. This means SQL STATS COMPACTION job would show up in the Jobs Page in DB Console and in the output of SHOW JOBS. This commit adds SQL STATS COMPACTION to a list of automatic jobs (e.g. auto table stats). This means SQL STATS COMPACTION job information would only be present in the output of SHOW AUTOMATIC JOBS. Release justification: Bug fixes and low-risk updates to new functionality Release note (sql change): SQL STATS COMPACTION job now only shows up in the output of SHOW AUTOMATIC JOBS. 69651: colexec: fix IN operator with unsorted tuple r=mgartner a=mgartner The vectorized implementation of an `element IN tuple` expression assumes that the contents of `tuple` are sorted by the optimizer. Based on this assumption, it performs a binary search instead of a linear search. However, the assumption that the optimizer sorts all tuples is incorrect. For example, there are cases where the contents of a tuple are not known at planning-time, so the tuple cannot be sorted. Performing a binary search with an unsorted tuple causes incorrect query results. Now, the vectorized engine sorts tuple contents if they are not already sorted. Fixes #68979 Release justification: This commit fixes a bug with the IN operator that causes incorrect results. Release note (bug fix): A bug has been fixed which caused incorrect evaluation of the `IN` operator when the tuple on the right-hand-side of the operator included a subquery, like `a IN ('foo', (SELECT s FROM t), 'bar')`. 69666: bazel: bazel builder image doesn't run builds as root r=jlinder a=rickystewart Adopt the same `autouseradd` script that we use in `cockroachdb/builder` to avoid creating these files as `root`. Also step down the permissions on some files that `bazci` creates -- they don't need to be so permissive any more. Closes #66162 Release justification: Non-production code change Release note: None 69681: sql: apply zone configs for copied INDEX for ALTER PK on RBR tables r=ajwerner a=otan Release justification: bug fix for existing feature Release note (bug fix): Previously, when using ALTER PRIMARY KEY on a REGIONAL BY ROW table, the copied unique index from the old PRIMARY KEY would not have the correct zone configurations applied. This commit fixes that. Users who encountered this bug should re-create the index. Co-authored-by: Jackson Owens <[email protected]> Co-authored-by: Azhng <[email protected]> Co-authored-by: Marcus Gartner <[email protected]> Co-authored-by: Ricky Stewart <[email protected]> Co-authored-by: Oliver Tan <[email protected]>

rickystewart added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-build-system labels Jun 7, 2021

rickystewart self-assigned this Jun 7, 2021

rickystewart mentioned this issue Jun 8, 2021

bazel: bazel builder image doesn't run builds as root #66197

Merged

craig bot closed this as completed in 1004efd Jun 9, 2021

catj-cockroach self-assigned this Aug 6, 2021

rickystewart reopened this Aug 27, 2021

rickystewart mentioned this issue Aug 31, 2021

bazel: bazel builder image doesn't run builds as root #69666

Merged

craig bot closed this as completed in 4530614 Sep 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bazel: `cockroachdb/bazel` Docker image shouldn't run builds as `root` #66162

bazel: `cockroachdb/bazel` Docker image shouldn't run builds as `root` #66162

rickystewart commented Jun 7, 2021

rickystewart commented Aug 27, 2021

bazel: cockroachdb/bazel Docker image shouldn't run builds as root #66162

bazel: cockroachdb/bazel Docker image shouldn't run builds as root #66162

Comments

rickystewart commented Jun 7, 2021

rickystewart commented Aug 27, 2021

bazel: `cockroachdb/bazel` Docker image shouldn't run builds as `root` #66162

bazel: `cockroachdb/bazel` Docker image shouldn't run builds as `root` #66162