ghcr.io/cross-rs/cross does not work when container runs with `--user` option

[AndreyMZ]

Checklist

• I've looked through the issues and pull requests for similar reports

Describe your issue

The documentation suggests to run cross from inside a container like so:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v .:/project -w /project my/development-image:tag cross build --target mips64-unknown-linux-gnuabi64

In general, this is wrong, because the container started from the my/development-image may run on behalf of a user different from the owner of the files in .. Usually, it runs on behalf of root. For example, ghcr.io/cross-rs/cross runs on behalf of root. This results in wrong ownership of files generated by cross (./target/**).

A proper way to run such tools is to use the --user option:

1. Pass the current user.
2. Pass the docker group to allow communicating via /var/run/docker.sock (which is readable and writable by root:docker).

But this does not work with ghcr.io/cross-rs/cross. See the detail below.

What target(s) are you cross-compiling for?

No response

Which operating system is the host (e.g computer cross is on) running?

• macOS
• Windows
• Linux / BSD
• other OS (specify in description)

What architecture is the host?

• x86_64 / AMD64
• arm32
• arm64 (including Mac M1)

What container engine is cross using?

• docker
• podman
• other container engine (specify in description)

cross version

cross 0.2.5

Example

useradd appuser --create-home --groups docker --shell /bin/bash
su appuser --login

curl https://sh.rustup.rs -sSf | sh -s -- -y # See <https://rust-lang.github.io/rustup/installation/other.html>.
cargo new hello_world --bin
cd hello_world/

docker run \
	-v /var/run/docker.sock:/var/run/docker.sock:rw \
	-v /etc/passwd:/etc/passwd:ro \
	-v /etc/group:/etc/group:ro   \
	-v .:/app:rw -w /app          \
	--user "$(id -u):$(getent group docker | cut -d: -f3)" \
	-it ghcr.io/cross-rs/cross:edge cross build

Actual result

appuser@ip-10-69-41-133:~/hello_world$ docker run \
        -v /var/run/docker.sock:/var/run/docker.sock:rw \
        -v /etc/passwd:/etc/passwd:ro \
        -v /etc/group:/etc/group:ro   \
        -v .:/app:rw -w /app          \
        --user "$(id -u):$(getent group docker | cut -d: -f3)" \
        -it ghcr.io/cross-rs/cross:edge cross build
Error:
   0: could not execute `rustc --print target-list`
   1: Permission denied (os error 13)

Expected result

No such error.

Additional information / notes

Root cause

• cross/docker/Dockerfile.cross

  Line 5 in 3bfc6d5

  RUN /cross.sh /project

• cross/docker/cross.sh

  Line 15 in 3bfc6d5

  curl --proto "=https" --tlsv1.2 --retry 3 -sSfL https://sh.rustup.rs | sh -s -- -y

Rust is installed into /root/.cargo/bin/:

$ docker run -it ghcr.io/cross-rs/cross:edge which rustc
/root/.cargo/bin/rustc

Possible solution

1. Install Rust into some world-readable location on building ghcr.io/cross-rs/cross using the environment variables RUSTUP_HOME and CARGO_HOME. See https://rust-lang.github.io/rustup/installation/index.html#choosing-where-to-install.
2. Propose the proper docker run ... command in the documentation about "Docker in Docker".

Additional information

The official Docker image rust does not have such problem:

appuser@ip-10-69-41-133:~/hello_world$ docker run \
        -v /var/run/docker.sock:/var/run/docker.sock:rw \
        -v /etc/passwd:/etc/passwd:ro \
        -v /etc/group:/etc/group:ro   \
        -v .:/app:rw -w /app          \
        --user "$(id -u):$(getent group docker | cut -d: -f3)" \
        -it rust:latest rustc --version
rustc 1.72.1 (d5c2e9c34 2023-09-13)

because Rust is installed into /usr/local/cargo/bin:

$ docker run -it rust:latest which rustc
/usr/local/cargo/bin/rustc

[thoongnv]

I seem to have encountered this same problem, getting permission denied on reading files under /home/runner/ with the below command on CI ubuntu-latest image.

cross test --target aarch64-unknown-linux-gnu -- --nocapture