launchpad-buildd

Run snapcraft as non-root (with passwordless sudo)

Bug #1702656 reported by Evan on 2017-07-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	launchpad-buildd	Triaged	High	Unassigned

Bug Description

npm, as called by the snapcraft node plugin, creates directories to git clone into as the current user (in this case root), but drops privileges before running git clone. This does not end well:

Preparing to pull hello-node-snap
Pulling hello-node-snap
npm ERR! code 1
npm ERR! Command failed: /usr/bin/git clone --depth=1 -q -b v0.0.6.1 git://github.com/heroku/socksv5.git /home/buildd/.npm/_cacache/tmp/git-clone-4f8b43f3
npm ERR! /home/buildd/.npm/_cacache/tmp/git-clone-4f8b43f3/.git: Permission denied
npm ERR!

Colin suggests we evaluate running snapcraft as non-root with passwordless sudo configured. It is presumed that snapcraft will use sudo for the elevated permissions it needs.

Related branches

lp:~cjwatson/launchpad-buildd/snap-non-root

Merged into lp:launchpad-buildd at revision 227

William Grant: Approve on 2017-07-17

Colin Watson (cjwatson) on 2017-07-06

Changed in launchpad-buildd:
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Colin Watson (cjwatson)

Colin Watson (cjwatson) on 2017-07-18

Changed in launchpad-buildd:
status:	In Progress → Fix Committed

Revision history for this message

Colin Watson (cjwatson) wrote on 2017-07-25:

I had to revert this because it broke "type: os" and "type: kernel" builds. Even with some Makefile changes from Oliver to run lb under sudo, the core snap build still failed because snapcraft was unable to stage the result:

  make install DESTDIR=/build/core/parts/livebuild/install
  Preparing to build hooks
  Building hooks
  Staging livebuild
  [Errno 13] Permission denied: '/build/core/parts/livebuild/install/dev/loop0'

Possible options for a later second attempt:

1) Only run as non-root for "type: app" (or missing) and maybe "type: gadget". (This would require parsing snapcraft.yaml directly in launchpad-buildd, which we've so far been able to avoid doing.)
2) Run "snapcraft stage" and "snapcraft snap" separately, much like we already run "snapcraft pull" separately, and always run them as root.

Changed in launchpad-buildd:
status:	Fix Committed → Triaged
assignee:	Colin Watson (cjwatson) → nobody

Revision history for this message

Sergio Schvezov (sergiusens) wrote on 2017-07-25:

We might be able to do 1 in snapcraft by re-exec-ing ourselves with sudo if we detect `os` or `kernel` as we will most likely follow the lead and move snapcraft to build as a regular user as well so it might be better to do the `root` required detection ourselves.

Revision history for this message

Cris Dywan (kalikiana) wrote on 2017-07-26:

As I understand it, Launchpad won't be able to rely on a fix in snapcraft because snaps can be built with different suites so Xenial without -updates wouldn't have a new version. So I opened a forum topic to discuss improvements in snapcraft and not deter from the fix here:
https://forum.snapcraft.io/t/run-snapcraft-in-container-as-a-user/1438

Revision history for this message

Colin Watson (cjwatson) wrote on 2017-07-26:

Yes, I certainly don't object to snapcraft's interface being improved (especially for the sake of cleanbuild et al), but we'll need to deal with it in launchpad-buildd as well at least for a while.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.