Run snapcraft as non-root (with passwordless sudo)
Bug #1702656 reported by
Evan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
launchpad-buildd |
Triaged
|
High
|
Unassigned |
Bug Description
npm, as called by the snapcraft node plugin, creates directories to git clone into as the current user (in this case root), but drops privileges before running git clone. This does not end well:
Preparing to pull hello-node-snap
Pulling hello-node-snap
npm ERR! code 1
npm ERR! Command failed: /usr/bin/git clone --depth=1 -q -b v0.0.6.1 git://github.
npm ERR! /home/buildd/
npm ERR!
Colin suggests we evaluate running snapcraft as non-root with passwordless sudo configured. It is presumed that snapcraft will use sudo for the elevated permissions it needs.
Related branches
lp://staging/~cjwatson/launchpad-buildd/snap-non-root
- William Grant (community): Approve
-
Diff: 93 lines (+30/-4) (has conflicts)2 files modifiedbuildsnap (+20/-4)
debian/changelog (+10/-0)
Changed in launchpad-buildd: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Colin Watson (cjwatson) |
Changed in launchpad-buildd: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
I had to revert this because it broke "type: os" and "type: kernel" builds. Even with some Makefile changes from Oliver to run lb under sudo, the core snap build still failed because snapcraft was unable to stage the result:
make install DESTDIR= /build/ core/parts/ livebuild/ install core/parts/ livebuild/ install/ dev/loop0'
Preparing to build hooks
Building hooks
Staging livebuild
[Errno 13] Permission denied: '/build/
Possible options for a later second attempt:
1) Only run as non-root for "type: app" (or missing) and maybe "type: gadget". (This would require parsing snapcraft.yaml directly in launchpad-buildd, which we've so far been able to avoid doing.)
2) Run "snapcraft stage" and "snapcraft snap" separately, much like we already run "snapcraft pull" separately, and always run them as root.