Skip to content

fix artifact file ownership inside container builds#1846

Open
FredrikHson wants to merge 1 commit into
firecow:masterfrom
FredrikHson:master
Open

fix artifact file ownership inside container builds#1846
FredrikHson wants to merge 1 commit into
firecow:masterfrom
FredrikHson:master

Conversation

@FredrikHson

@FredrikHson FredrikHson commented May 4, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown

this fixes an issue that occurs when you use an image without root as the user
artifacts being copied into the container as the user outside of the container so changing the artifacts/anything in contained folders will fail due to permission denied
example dockerfile+gitlab-ci.yaml should fail on the dep step without this patch and work after

FROM rockylinux:9
RUN useradd build
USER  build
--- 
build:
  stage: build
  artifacts:
    paths:
      - build
  image:
    name: rockyuser
  script:
    - mkdir -p build/river
    - echo "version=1.0.0" > build/river/release

dep:
  stage: deploy
  dependencies:
    - build
  tags:
    - on-prem
  image:
    name: rockyuser
  script:
    - id -g
    - id -u
    - ls -lah build
    - mkdir -p build/road
    - echo "version=1.1.1" > build/road/release

Summary by cubic

Fixes permission errors in non-root container builds by ensuring artifacts and the project directory are owned by the container user. We detect the image’s UID:GID and apply it when copying files and setting permissions.

  • Bug Fixes
    • Detect UID:GID via id -u:id -g from the job image and reuse it across steps.
    • Chown/chmod the project dir and /tmp in the helper using the detected owner.
    • Copy build files via a tar stream with --owner/--group to ensure correct ownership inside the container.

Written for commit d80d1c6. Summary will update on new commits.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 4, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

firecow
firecow reviewed May 9, 2026
View reviewed changes
Comment thread src/job.ts
return Utils.spawn(["rsync", "-a", `${source}/.`, `${this.argv.cwd}/${this.argv.stateDir}/builds/${safeJobName}`]);
}
return Utils.spawn([this.argv.containerExecutable, "cp", `${source}/.`, `${this._containerId}:${this.ciProjectDir}`]);
return Utils.spawn(["sh","-c" , `cd ${source}; tar -cf - . --owner ${this.chownOpt.split(":")[0]} --group ${this.chownOpt.split(":")[1]} | ${this.argv.containerExecutable} cp - ${this._containerId}:${this.ciProjectDir}`]);

@firecow firecow May 9, 2026

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please attach some performance charts. I'm worried this would kill performance in big projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@firecow firecow firecow left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FredrikHson @firecow