Avoiding permission denied while building with CI docker image

[gchamp20]

Title: Permission denied while building with CI docker image

Description:
Hi,

As reported in #32505 and #36548, I have also hit the "permission denied" error.

$ git rev-parse HEAD
b18b993eafa929b741964b5146138671784338ea
$ ./ci/run_envoy_docker.sh './ci/do_ci.sh dev'
chown: changing ownership of '/build': Permission denied
bash: line 0: cd: /source: Permission denied

I couldn't find an issue still open regarding this and I wanted to share the solution I've used to fix it. Feel free to close if this solution was already posted or should be discussed elsewhere.

The TLDR: the issue appears to be SELinux, it can be avoided by mounting the dirs shared with the container with :Z:

diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
index e87b6d0d6a..4e4a05bd02 100644
--- a/ci/docker-compose.yml
+++ b/ci/docker-compose.yml
@@ -108,7 +108,7 @@ services:
     privileged: true
     <<: *envoy-build-base
     volumes:
-    - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build
-    - ${SOURCE_DIR:-..}:/source
+    - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build:Z
+    - ${SOURCE_DIR:-..}:/source:z
     - /var/run/docker.sock:/var/run/docker.sock
     - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}

With the above, the build starts as expected.

#32505 and #36548 both used distros with SELinux enabled by default (Centos and rocky linux). I use Fedora.

Having to add either :Z or :z when mounting host directories on a container when SELinux is enabled is documented in the docker manual: https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label. This blog post details the implication of using those parameters: https://developers.redhat.com/articles/2025/04/11/my-advice-selinux-container-labeling.

Mounting a directory with :Z changes the SELinux labels on the host directly. As such, after running running the docker container my envoy source directory has a different SELInux labeling:

$ mkdir normal-directory
$  ls -Z
system_u:object_r:container_file_t:s0:c617,c751 envoy             unconfined_u:object_r:user_home_t:s0 normal-directory

The build directory created in /tmp has the same labeling. For my setup, this is a non issue.

I'm wondering if there would be a way to fix this in the build scripts. I'm not sure :Z could be added directly in docker-compose.yml as it appears to be only useful when SELinux is used and it might have security implications (? i'm honestly not familiar at all with SELinux).

If there's something I can modify to fix it for others, i'd be happy to send a PR.

[wbpcode]

cc @phlax could you take a quick check to that? I am also not sure whether the :z/:Z will bring some more side effect or not?

[phlax]

hmm - yeah - im kinda reluctant to add :z/:Z as default - its ~destructive if mostly harmless

@gchamp20 how about adding a var like ${MOUNT_LABEL:-} to the mount lines?

another option would be to pre-label the target dir i think