Run snapcraft as non-root (with passwordless sudo)

Bug #1702656 reported by Evan
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
launchpad-buildd
High
Unassigned

Bug Description

npm, as called by the snapcraft node plugin, creates directories to git clone into as the current user (in this case root), but drops privileges before running git clone. This does not end well:

Preparing to pull hello-node-snap
Pulling hello-node-snap
npm ERR! code 1
npm ERR! Command failed: /usr/bin/git clone --depth=1 -q -b v0.0.6.1 git://github.com/heroku/socksv5.git /home/buildd/.npm/_cacache/tmp/git-clone-4f8b43f3
npm ERR! /home/buildd/.npm/_cacache/tmp/git-clone-4f8b43f3/.git: Permission denied
npm ERR!

Colin suggests we evaluate running snapcraft as non-root with passwordless sudo configured. It is presumed that snapcraft will use sudo for the elevated permissions it needs.

Related branches

Colin Watson (cjwatson)
Changed in launchpad-buildd:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
Changed in launchpad-buildd:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

I had to revert this because it broke "type: os" and "type: kernel" builds. Even with some Makefile changes from Oliver to run lb under sudo, the core snap build still failed because snapcraft was unable to stage the result:

  make install DESTDIR=/build/core/parts/livebuild/install
  Preparing to build hooks
  Building hooks
  Staging livebuild
  [Errno 13] Permission denied: '/build/core/parts/livebuild/install/dev/loop0'

Possible options for a later second attempt:

 1) Only run as non-root for "type: app" (or missing) and maybe "type: gadget". (This would require parsing snapcraft.yaml directly in launchpad-buildd, which we've so far been able to avoid doing.)
 2) Run "snapcraft stage" and "snapcraft snap" separately, much like we already run "snapcraft pull" separately, and always run them as root.

Changed in launchpad-buildd:
status: Fix Committed → Triaged
assignee: Colin Watson (cjwatson) → nobody
Revision history for this message
Sergio Schvezov (sergiusens) wrote :

We might be able to do 1 in snapcraft by re-exec-ing ourselves with sudo if we detect `os` or `kernel` as we will most likely follow the lead and move snapcraft to build as a regular user as well so it might be better to do the `root` required detection ourselves.

Revision history for this message
Christian Dywan (kalikiana) wrote :

As I understand it, Launchpad won't be able to rely on a fix in snapcraft because snaps can be built with different suites so Xenial without -updates wouldn't have a new version. So I opened a forum topic to discuss improvements in snapcraft and not deter from the fix here:
https://forum.snapcraft.io/t/run-snapcraft-in-container-as-a-user/1438

Revision history for this message
Colin Watson (cjwatson) wrote :

Yes, I certainly don't object to snapcraft's interface being improved (especially for the sake of cleanbuild et al), but we'll need to deal with it in launchpad-buildd as well at least for a while.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers