ci: container: non-root write access to /node_modules

during preamble: error An unexpected error occurred: "EACCES: permission denied, unlink \ '/build/node_modules/.yarn-integrity'". Signed-off-by: Dr. Jan-Philip Gehrcke <jp@opstrace.com> ci: container: non-root /node_modules Got this with the chmod -R technique: [2021-08-11T14:10:14Z] error An unexpected error occurred: "EPERM: operation not permitted, chmod '/node_modules/@babel /core/node_modules/ @babel/generator/node_modules/.bin/jsesc'". Signed-off-by: Dr. Jan-Philip Gehrcke <jp@opstrace.com> ci: preamble: copy /node_modules Got this during yarn An unexpected error occurred: "EEXIST: file already exists, found yarnpkg/yarn#8079 (comment) Signed-off-by: Dr. Jan-Philip Gehrcke <jp@opstrace.com>
opstrace · Aug 11, 2021 · afc4791 · afc4791
1 parent 1fa3444
commit afc4791
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -405,7 +405,10 @@ rebuild-ci-container-image:
 	#Note(JP): update: experiment with sending a small build context including
 	# yarn.lock and package.json and run a yarn install in the image build
 	#to populate the yarn cache in /usr in the image
-	docker build -t opstrace/opstrace-ci:$(CHECKOUT_VERSION_STRING)  . -f containers/ci/opstrace-ci.Dockerfile
+	# inject current user uid/gid to write some directories as this
+	# identity, also see https://stackoverflow.com/a/44683248/145400
+	docker build --build-arg CIUID=$(shell id -u) --build-arg CIGID=$(shell id -g) \
+		-t opstrace/opstrace-ci:$(CHECKOUT_VERSION_STRING)  . -f containers/ci/opstrace-ci.Dockerfile
 
 
 

diff --git a/ci/preamble.sh b/ci/preamble.sh
@@ -47,7 +47,9 @@ make set-build-info-constants
 # `package.json` is. Alternative is maybe to create a .yarnrc containing
 # --modules-folder /node_modules. The challenge is that /build is _mounted_
 # into the container, while /node_modules is already there.
-ln -s /node_modules ./node_modules
+#ln -s /node_modules ./node_modules
+# update: https://github.com/yarnpkg/yarn/issues/8079#issuecomment-622817604 -- huh
+cp -a /node_modules ./node_modules
 
 # The depenencies for this linting effort should all be in the CI
 # container image, i.e. this should not rely on `yarn --frozen-lockfile`

diff --git a/containers/ci/opstrace-ci.Dockerfile b/containers/ci/opstrace-ci.Dockerfile
@@ -105,17 +105,34 @@ RUN (cd /tmp && GOPATH=/usr/local/ go get github.com/google/addlicense)
 #RUN mkdir /tmp/yarninstall
 COPY package.json yarn.lock /
 
+# Register build args, set defaults. GID and UID are expected to be overridden
+# in CI.
+ARG CIUNAME=ciuser
+ARG CIUID=1000
+ARG CIGID=1000
+
+# Switch user to the same user that is used when running the image.
+# This is so that /yarncache and /node_modules contents are writable.
+RUN mkdir /yarncache && chmod 777 /yarncache
+RUN mkdir /node_modules && chmod 777 /node_modules
+RUN echo "set up user $CIUNAME / $CIUID in group $CIGID"
+RUN groupadd -g $CIGID -o $CIUNAME
+RUN useradd -m -u $CIUID -g $CIGID -o -s /bin/bash $CIUNAME
+USER $CIUNAME
+
 # This is to populate the yarn cache at /yarncache in the container image and
 # to create a /node_modules dir -- let's see if that brings a speedup
 # downstream.
-RUN mkdir /yarncache && yarn config set cache-folder /yarncache
+RUN yarn config set cache-folder /yarncache
 RUN cd / && yarn --frozen-lockfile
+# check if this command works
 RUN yarn wsrun -c lint
 
 RUN echo "biggest dirs"
 RUN cd / && du -ha . | sort -r -h | head -n 50 || true
 # show which cache dir is really configured
 RUN yarn cache dir
-# make it so that a non-root user can write to this cache dir.
-RUN chmod -R g+rwx,o+rwx /yarncache
 
+# Allow for a non-root user to write to cache dir as well as to node_modules
+#RUN chmod -R g+rwx,o+rwx /yarncache
+#RUN chmod -R g+rwx,o+rwx /node_modules