fix(assemble): handle root for each entry

`assemble` command cannot be executed as root. Instead, each item can
either be processed by a rootful or rootless container manager.

Author: balanza

internal/cli/assemble.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/urfave/cli/v3"
 
+	"github.com/89luca89/distrobox/internal/rootful"
 	"github.com/89luca89/distrobox/pkg/commands"
 	"github.com/89luca89/distrobox/pkg/config"
 	"github.com/89luca89/distrobox/pkg/containermanager"
@@ -98,6 +99,16 @@ func assembleAction(ctx context.Context, cmd *cli.Command, cfg *config.Values, d
 		return fmt.Errorf("failed to parse manifest file: %w", err)
 	}
 
+	// if at least one item in the manifest requires root, validate sudo before proceeding
+	for _, item := range manifest {
+		if item.Root {
+			if err := rootful.Validate(ctx); err != nil {
+				return fmt.Errorf("cannot run in root mode: %w", err)
+			}
+			break
+		}
+	}
+
 	opts := commands.AssembleOptions{
 		Items:   manifest,
 		Boxname: cmd.String("name"),

internal/cli/root.go

@@ -56,53 +56,60 @@ func printInvalidContainerManager(p *ui.Printer, containerManagerType string) {
 }
 
 func subcommands(cfg *config.Values) []*cli.Command {
-	return []*cli.Command{
-		composeCommand(
-			newListCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newGenerateEntryCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newCreateCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newEnterCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newAssembleCommand,
-			withRootSupport,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newRmCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newStopCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(
-			newEphemeralCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-		composeCommand(newUpgradeCommand,
-			withRoot,
-			withContainerManager,
-		)(cfg),
-	}
-}
+	cc := &CommandComposer[config.Values]{cfg: cfg}
+
+	list := cc.apply(
+		newListCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	generateEntry := cc.apply(
+		newGenerateEntryCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	create := cc.apply(
+		newCreateCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	enter := cc.apply(
+		newEnterCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	assemble := cc.apply(
+		newAssembleCommand,
+		withContainerManager,
+	)
+
+	rm := cc.apply(
+		newRmCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	stop := cc.apply(
+		newStopCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	ephemeral := cc.apply(
+		newEphemeralCommand,
+		withRoot,
+		withContainerManager,
+	)
+
+	upgrade := cc.apply(
+		newUpgradeCommand,
+		withRoot,
+		withContainerManager,
+	)
 
 	return []*cli.Command{
 		list,

pkg/commands/assemble.go

@@ -28,12 +28,14 @@ type AssembleOptions struct {
 }
 
 type AssembleCommand struct {
-	cfg              *config.Values
-	containermanager containermanager.ContainerManager
-	createCmd        *CreateCommand
-	rmCmd            *RmCommand
-	enterCmd         *EnterCommand
-	progress         *ui.Progress
+	cfg           *config.Values
+	createCmd     *CreateCommand
+	rmCmd         *RmCommand
+	enterCmd      *EnterCommand
+	createCmdRoot *CreateCommand
+	rmCmdRoot     *RmCommand
+	enterCmdRoot  *EnterCommand
+	progress      *ui.Progress
 }
 
 func NewAssembleCommand(
@@ -43,13 +45,16 @@ func NewAssembleCommand(
 	progress *ui.Progress,
 	printer *ui.Printer,
 ) *AssembleCommand {
+	cmRoot := cm.CloneAsRoot()
 	return &AssembleCommand{
-		cfg:              cfg,
-		containermanager: cm,
-		createCmd:        NewCreateCommand(cfg, cm, ui.NewDevNullProgress(), prompter),
-		rmCmd:            NewRmCommand(cfg, cm, prompter),
-		enterCmd:         NewEnterCommand(cfg, cm, progress, printer),
-		progress:         progress,
+		cfg:           cfg,
+		createCmd:     NewCreateCommand(cfg, cm, ui.NewDevNullProgress(), prompter),
+		rmCmd:         NewRmCommand(cfg, cm, prompter),
+		enterCmd:      NewEnterCommand(cfg, cm, progress, printer),
+		createCmdRoot: NewCreateCommand(cfg, cmRoot, ui.NewDevNullProgress(), prompter),
+		rmCmdRoot:     NewRmCommand(cfg, cmRoot, prompter),
+		enterCmdRoot:  NewEnterCommand(cfg, cmRoot, progress, printer),
+		progress:      progress,
 	}
 }
 
@@ -97,7 +102,12 @@ func (ac *AssembleCommand) deleteItem(ctx context.Context, item manifest.Item, d
 		ContainerNames: []string{item.Name},
 	}
 
-	_, err := ac.rmCmd.Execute(ctx, opts)
+	rmCmd := ac.rmCmd
+	if item.Root {
+		rmCmd = ac.rmCmdRoot
+	}
+
+	_, err := rmCmd.Execute(ctx, opts)
 	if err != nil {
 		ac.progress.Fail()
 		return fmt.Errorf("failed to execute delete item '%s': %w", item.Name, err)
@@ -142,7 +152,11 @@ func (ac *AssembleCommand) createItem(ctx context.Context, item manifest.Item, d
 		ContainerAlwaysPull:     item.AlwaysPull,
 	}
 
-	_, err := ac.createCmd.Execute(ctx, opts)
+	createCmd := ac.createCmd
+	if item.Root {
+		createCmd = ac.createCmdRoot
+	}
+	_, err := createCmd.Execute(ctx, opts)
 	if err != nil {
 		ac.progress.Fail()
 		return err
@@ -183,8 +197,12 @@ func (ac *AssembleCommand) joinHooks(hooks []string) string {
 }
 
 func (ac *AssembleCommand) setupBox(ctx context.Context, item manifest.Item) error {
+	enterCmd := ac.enterCmd
+	if item.Root {
+		enterCmd = ac.enterCmdRoot
+	}
 	if item.StartNow {
-		_, err := ac.enterCmd.Execute(ctx, EnterOptions{
+		_, err := enterCmd.Execute(ctx, EnterOptions{
 			ContainerName: item.Name,
 			NoTTY:         true,
 			CustomCommand: []string{"true"}, // we just want to run the init hooks, so we can skip the shell
@@ -203,7 +221,7 @@ func (ac *AssembleCommand) setupBox(ctx context.Context, item manifest.Item) err
 		}
 	}
 	for _, app := range item.ExportedApps {
-		_, err := ac.enterCmd.Execute(ctx, EnterOptions{
+		_, err := enterCmd.Execute(ctx, EnterOptions{
 			ContainerName: item.Name,
 			NoTTY:         true,
 			CustomCommand: []string{"distrobox-export", "--app", app},
@@ -226,7 +244,7 @@ func (ac *AssembleCommand) setupBox(ctx context.Context, item manifest.Item) err
 		}
 	}
 	for _, bin := range item.ExportedBins {
-		_, err := ac.enterCmd.Execute(ctx, EnterOptions{
+		_, err := enterCmd.Execute(ctx, EnterOptions{
 			ContainerName: item.Name,
 			NoTTY:         true,
 			CustomCommand: []string{"distrobox-export", "--bin", bin, "--export-path", item.ExportedBinsPath},

pkg/commands/assemble_test.go

@@ -190,6 +190,53 @@ func TestAssembleCommand_SetupBox_ExportedBins_Invalid(t *testing.T) {
 	}
 }
 
+func TestAssembleCommand_RoutesCreateAndSetupByItemRoot(t *testing.T) {
+	mock := &testutil.MockContainerManager{}
+	cmd := newTestAssembleCommand(mock)
+
+	require.NotNil(t, mock.RootClone, "AssembleCommand constructor should call CloneAsRoot")
+
+	err := cmd.Execute(context.Background(), commands.AssembleOptions{
+		Items: []manifest.Item{
+			{Name: "rootless-box", Image: "ubuntu:latest", Root: false, StartNow: true},
+			{Name: "rootful-box", Image: "ubuntu:latest", Root: true, StartNow: true},
+		},
+	})
+	require.NoError(t, err)
+
+	require.Len(t, mock.Spy.Create, 1, "rootless mock should receive exactly one Create")
+	createOpts := mock.Spy.Create[0][0].(containermanager.CreateOptions)
+	assert.Equal(t, "rootless-box", createOpts.ContainerName)
+
+	require.Len(t, mock.RootClone.Spy.Create, 1, "root mock should receive exactly one Create")
+	createOptsRoot := mock.RootClone.Spy.Create[0][0].(containermanager.CreateOptions)
+	assert.Equal(t, "rootful-box", createOptsRoot.ContainerName)
+
+	require.Len(t, mock.Spy.Enter, 1, "rootless mock should receive exactly one Enter (StartNow)")
+	assert.Equal(t, "rootless-box", getEnterOptions(mock.Spy, 0).ContainerName)
+
+	require.Len(t, mock.RootClone.Spy.Enter, 1, "root mock should receive exactly one Enter (StartNow)")
+	assert.Equal(t, "rootful-box", getEnterOptions(mock.RootClone.Spy, 0).ContainerName)
+}
+
+func TestAssembleCommand_RootlessOnlyManifest_DoesNotInvokeRootMock(t *testing.T) {
+	mock := &testutil.MockContainerManager{}
+	cmd := newTestAssembleCommand(mock)
+
+	err := cmd.Execute(context.Background(), commands.AssembleOptions{
+		Items: []manifest.Item{
+			{Name: "a", Image: "ubuntu:latest", Root: false},
+			{Name: "b", Image: "ubuntu:latest", Root: false},
+		},
+	})
+	require.NoError(t, err)
+
+	assert.Len(t, mock.Spy.Create, 2)
+	require.NotNil(t, mock.RootClone, "constructor still calls CloneAsRoot eagerly")
+	assert.Empty(t, mock.RootClone.Spy.Create, "root mock should not receive Create for rootless items")
+	assert.Empty(t, mock.RootClone.Spy.Enter, "root mock should not receive Enter for rootless items")
+}
+
 func TestAssembleCommand_SetupBox_ExportedBins_InvalidExportPath(t *testing.T) {
 	invalidPaths := []string{
 		"",

pkg/containermanager/containermanager.go

@@ -86,6 +86,9 @@ type ContainerManagerType string
 
 type ContainerManager interface {
 	Name() string
+	// CloneAsRoot returns a copy of the manager configured to run in root
+	// mode. The original instance is not modified.
+	CloneAsRoot() ContainerManager
 	Enter(ctx context.Context, options EnterOptions, progress *ui.Progress, printer *ui.Printer) error
 	ListContainers(ctx context.Context) ([]Container, error)
 	Create(ctx context.Context, opts CreateOptions) error

pkg/containermanager/providers/clone_internal_test.go

@@ -0,0 +1,70 @@
+package providers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPodman_CloneAsRoot_PreservesFieldsAndFlipsRoot(t *testing.T) {
+	original := newPodman(podmanCommandPodman, false, "doas", true)
+
+	cloned := original.CloneAsRoot()
+
+	require.NotSame(t, original, cloned, "expected a fresh instance")
+
+	clone, ok := cloned.(*Podman)
+	require.True(t, ok, "expected *Podman, got %T", cloned)
+
+	assert.True(t, clone.root, "clone should be in root mode")
+	assert.Equal(t, original.command, clone.command)
+	assert.Equal(t, original.sudoCommand, clone.sudoCommand)
+	assert.Equal(t, original.verbose, clone.verbose)
+
+	assert.False(t, original.root, "original should remain non-root")
+}
+
+func TestPodman_CloneAsRoot_AlreadyRootStillReturnsCopy(t *testing.T) {
+	original := newPodman(podmanCommandLauncher, true, "sudo", false)
+
+	cloned := original.CloneAsRoot()
+
+	require.NotSame(t, original, cloned)
+
+	clone, ok := cloned.(*Podman)
+	require.True(t, ok)
+
+	assert.True(t, clone.root)
+	assert.Equal(t, podmanCommandLauncher, clone.command)
+}
+
+func TestDocker_CloneAsRoot_PreservesFieldsAndFlipsRoot(t *testing.T) {
+	original := NewDocker(false, "doas", true)
+
+	cloned := original.CloneAsRoot()
+
+	require.NotSame(t, original, cloned, "expected a fresh instance")
+
+	clone, ok := cloned.(*Docker)
+	require.True(t, ok, "expected *Docker, got %T", cloned)
+
+	assert.True(t, clone.root, "clone should be in root mode")
+	assert.Equal(t, original.sudoCommand, clone.sudoCommand)
+	assert.Equal(t, original.verbose, clone.verbose)
+
+	assert.False(t, original.root, "original should remain non-root")
+}
+
+func TestDocker_CloneAsRoot_AlreadyRootStillReturnsCopy(t *testing.T) {
+	original := NewDocker(true, "sudo", false)
+
+	cloned := original.CloneAsRoot()
+
+	require.NotSame(t, original, cloned)
+
+	clone, ok := cloned.(*Docker)
+	require.True(t, ok)
+
+	assert.True(t, clone.root)
+}

pkg/containermanager/providers/docker.go

@@ -36,6 +36,12 @@ func NewDocker(root bool, sudoCommand string, verbose bool) *Docker {
 	}
 }
 
+func (d *Docker) CloneAsRoot() containermanager.ContainerManager {
+	cp := *d
+	cp.root = true
+	return &cp
+}
+
 func (d *Docker) Name() string {
 	return "docker"
 }

pkg/containermanager/providers/podman.go

@@ -54,6 +54,12 @@ func NewPodmanLauncher(root bool, sudoCommand string, verbose bool) *Podman {
 	return newPodman(podmanCommandLauncher, root, sudoCommand, verbose)
 }
 
+func (p *Podman) CloneAsRoot() containermanager.ContainerManager {
+	cp := *p
+	cp.root = true
+	return &cp
+}
+
 func (p *Podman) Name() string {
 	return string(p.command)
 }