Skip to content

workflows: add RUN_AS_ROOT to build-go-caches workflow #39763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

workflows: add RUN_AS_ROOT to build-go-caches workflow #39763

merged 1 commit into from
May 29, 2025

Conversation

aanm
Copy link
Member

@aanm aanm commented May 28, 2025
edited
Loading

Since we reverse the default for running builder as root we should have
also set the correct value of the env variable in the build-go-caches
workflow as otherwise the builder does not create the golang cache in
the right directory.

Fixes: 9324f9a ("contrib: Reverse default for running builder as root")

@aanm aanm requested a review from a team as a code owner May 28, 2025 09:31
@aanm aanm added the release-note/misc This PR makes changes that have no direct user impact. label May 28, 2025
@aanm aanm requested a review from bimmlerd May 28, 2025 09:31
@aanm aanm enabled auto-merge May 28, 2025 09:31
@aanm
Copy link
Member Author

aanm commented May 28, 2025

/test

bimmlerd
bimmlerd approved these changes May 28, 2025
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

@aanm aanm force-pushed the pr/fix-go-lang-caches branch 2 times, most recently from c8e1f8d to 44fe0d7 Compare May 28, 2025 11:59
@aanm aanm requested review from a team as code owners May 28, 2025 11:59
@aanm aanm force-pushed the pr/fix-go-lang-caches branch from 44fe0d7 to 814fec0 Compare May 28, 2025 11:59
@aanm aanm marked this pull request as draft May 28, 2025 12:01
auto-merge was automatically disabled May 28, 2025 12:01

Pull request was converted to draft

@aanm aanm force-pushed the pr/fix-go-lang-caches branch 2 times, most recently from 6c99347 to 50bd8b1 Compare May 28, 2025 12:02
@aanm
workflows: add RUN_AS_ROOT to build-go-caches workflow
18efa4d 
Since we reverse the default for running builder as root we should have
also set the correct value of the env variable in the build-go-caches
workflow as otherwise the builder does not create the golang cache in
the right directory.

Fixes: 9324f9a ("contrib: Reverse default for running builder as root")
Signed-off-by: André Martins <andre@cilium.io>
@aanm aanm force-pushed the pr/fix-go-lang-caches branch from 50bd8b1 to 18efa4d Compare May 28, 2025 12:27
@aanm aanm changed the title contrib/scripts: set golang cache with right path workflows: add RUN_AS_ROOT to build-go-caches workflow May 28, 2025
@aanm aanm removed request for a team, christarazi and tommyp1ckles May 28, 2025 12:28
@aanm aanm marked this pull request as ready for review May 28, 2025 12:28
@aanm aanm enabled auto-merge May 28, 2025 12:28
@aanm
Copy link
Member Author

aanm commented May 28, 2025

/test

@joestringer
Copy link
Member

RUN_AS_ROOT is only used for make run_bpf_tests. Will this cause the tests under bpf/tests to run with a cache but invalidate the cache for other workflows?

@aanm
Copy link
Member Author

aanm commented May 28, 2025

RUN_AS_ROOT is only used for make run_bpf_tests. Will this cause the tests under bpf/tests to run with a cache but invalidate the cache for other workflows?

@joestringer I'm not sure I follow, the tests workflows were not changed. This workflow is only used to generate the golang caches which there's a step further down in the workflow to revert the owner from root.

@joestringer
Copy link
Member

Now I'm confused 😅

The GitHub workflow before this PR:

        env:
          BUILDER_GOCACHE_DIR: "/tmp/.cache/go/.cache/go-build"
          BUILDER_GOMODCACHE_DIR: "/tmp/.cache/go/pkg"

which then invokes contrib/scripts/builder.sh that does:

if [ -z "${RUN_AS_ROOT:-}" ]; then                                                                                                                               
    USER_OPTION="--user $(id -u):$(id -g)"                                                                                                                       
    USER_PATH="$HOME"                                                                                                                                            
fi

...

if [ -n "${BUILDER_GOCACHE_DIR:-}" ]; then                                                                                                                       
    MOUNT_GOCACHE_DIR="-v ${BUILDER_GOCACHE_DIR}:${USER_PATH}/.cache/go-build"                                                                                   
fi

...

if [ -n "${BUILDER_GOMODCACHE_DIR:-}" ]; then                                                                                                                    
    MOUNT_GOMODCACHE_DIR="-v ${BUILDER_GOMODCACHE_DIR}:/go/pkg/mod"                                                                                              
fi

...

docker run --rm \
   $USER_OPTION \
   $MOUNT_GOCACHE_DIR \
   $MOUNT_GOMODCACHE_DIR \
   $MOUNT_CCACHE_DIR \
   ...

So even if the script runs as non-root, I would expect it to respect the specified environment variables and place the relevant files under /tmp/.cache/go. We might not even need the chown because the docker container would be run as the current user by default instead.

@joestringer
Copy link
Member

joestringer commented May 28, 2025
edited
Loading

One slightly fishy thing above is that the BUILDER_GOCACHE_DIR is being mounted into the container based on a path based on the user with a subdirectory under .cache, while the equivalent gomod environment variable BUILDER_GOMODCACHE_DIR mounts under /go/pkg/mod. I'm not sure where the go build would cache by default inside the container when run as non-root 🤔

EDIT: Well, there's an answer:

$ docker run --user $(id -u):$(id -g) \
             $(cat images/cilium/Dockerfile | grep '^ARG CILIUM_BUILDER_IMAGE=' | cut -d '=' -f 2) \
    go env \
  | grep CACHE
GOCACHE='/home/ubuntu/.cache/go-build'
GOCACHEPROG=''
GOMODCACHE='/go/pkg/mod'

(Note that my username on my host is not ubuntu; that is the username for uid=1000 in the builder image)

@joestringer
Copy link
Member

I guess the question I have is, why do we need to run this build as root? I don't see a reason, other than maybe it aligns some directory paths in a better way. But then which directory path is supposed to be different? Maybe we can just fix the directory path or something?

@joestringer
Copy link
Member

Here's my counter-proposal:

diff --git a/contrib/scripts/builder.sh b/contrib/scripts/builder.sh
index b094053dd46a..f26c60118cf8 100755
--- a/contrib/scripts/builder.sh
+++ b/contrib/scripts/builder.sh
@@ -20,7 +20,7 @@ fi
 
 if [ -z "${RUN_AS_ROOT:-}" ]; then
     USER_OPTION="--user $(id -u):$(id -g)"
-    USER_PATH="$HOME"
+    USER_PATH="/home/ubuntu"
 fi
 
 MOUNT_GOCACHE_DIR=""
@@ -44,7 +44,7 @@ fi
 MOUNT_CCACHE_DIR=""
 
 if [ -z "${BUILDER_CCACHE_DIR:-}" ]; then
-    MOUNT_CCACHE_DIR="-v ${USER_PATH}/.ccache:${USER_PATH}/.ccache"
+    MOUNT_CCACHE_DIR="-v ${HOME}/.ccache:${USER_PATH}/.ccache"
 else
     MOUNT_CCACHE_DIR="-v ${BUILDER_CCACHE_DIR}:${USER_PATH}/.ccache"
 fi

@aanm
Copy link
Member Author

aanm commented May 29, 2025

Here's my counter-proposal:

diff --git a/contrib/scripts/builder.sh b/contrib/scripts/builder.sh
index b094053dd46a..f26c60118cf8 100755
--- a/contrib/scripts/builder.sh
+++ b/contrib/scripts/builder.sh
@@ -20,7 +20,7 @@ fi
 
 if [ -z "${RUN_AS_ROOT:-}" ]; then
     USER_OPTION="--user $(id -u):$(id -g)"
-    USER_PATH="$HOME"
+    USER_PATH="/home/ubuntu"
 fi
 
 MOUNT_GOCACHE_DIR=""
@@ -44,7 +44,7 @@ fi
 MOUNT_CCACHE_DIR=""
 
 if [ -z "${BUILDER_CCACHE_DIR:-}" ]; then
-    MOUNT_CCACHE_DIR="-v ${USER_PATH}/.ccache:${USER_PATH}/.ccache"
+    MOUNT_CCACHE_DIR="-v ${HOME}/.ccache:${USER_PATH}/.ccache"
 else
     MOUNT_CCACHE_DIR="-v ${BUILDER_CCACHE_DIR}:${USER_PATH}/.ccache"
 fi

@joestringer I also tried that before but it doesn't work 😅 . It doesn't work because "--user $(id -u):$(id -g)" is translated to "--user 1001:1001" which is caused by the GH runners change from 1000 to 1001. This then prevents the builder image to create / modify the directory /home/ubuntu/"go-cache". That's why we will run it as root so that it can write into that directory regardless of the uid of the GH runners.

@aanm aanm added this pull request to the merge queue May 29, 2025
Merged via the queue into main with commit 85ff028 May 29, 2025
67 checks passed
@aanm aanm deleted the pr/fix-go-lang-caches branch May 29, 2025 15:45
@marseel marseel mentioned this pull request Jun 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

Assignees
No one assigned
Labels
release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aanm @joestringer @bimmlerd