Regression in native build container user handling and new warnings in Quarkus 3.25.0 (Docker-in-Docker CI) #49431
Description
Describe the bug
🐞 Title:
Regression in native build container user handling and new warnings in Quarkus 3.25.0 (Docker-in-Docker CI)
📄 Description:
Since upgrading to Quarkus 3.25.0, native image builds using Docker-in-Docker (DinD) in a CI environment no longer work due to missing --user option in the docker run command.
This worked perfectly in Quarkus 3.24.5, where the native build command included:
In 3.25.0, the same command is now missing the --user flag, resulting in:
Fatal error: jdk.vm.ci.common.JVMCIError: java.nio.file.AccessDeniedException: /project/svm_err_*.md
🧪 Environment:
CI: GitLab CI
OS: Ubuntu-based Docker-in-Docker
Builder image: quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21
UID/GID inside CI container: 645:1000
Native build target: static, musl, x86_64
🔍 Investigation:
The issue appears to originate from this commit: 🔗 1e04d63
It introduces automatic UID/GID detection via getLinuxID() in LinuxIDUtil.java, which injects --user into the Docker command only if UID/GID are detected.
However, in Docker-in-Docker environments, this detection may fail or return incorrect values, and there is no way to override or disable it.
Attempts to use the following properties had no effect:
I)
[INFO] [com.example.retry.pattern.deployment.RetryPatternRabbitMqProcessor] Implementation class for com.example.basem.retry.pattern.rabbitmq.interfaces.BasemRabbitMessageBuilderInterface not found in configuration : using default : com.example.basem.retry.pattern.rabbitmq.defaultimpl.BaseMRabbitMessageBuilderDefault
[WARNING] [io.smallrye.common.process] SRCOM05000: Command docker (pid 143) completed but logged errors:
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
II)
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildContainerRunner] Using docker to run the native image builder
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildContainerRunner] Checking status of builder image 'custom-builder-image:24.10.2'
[WARNING] [io.smallrye.common.process] SRCOM05000: Command docker (pid 184) completed but logged errors:
"docker image inspect" requires at least 1 argument.
See 'docker image inspect --help'.
Usage: docker image inspect [OPTIONS] IMAGE [IMAGE...]
Display detailed information on one or more images
These warnings did not appear in Quarkus 3.24.5 and may indicate changes in how Docker commands are handled or logged.
🧩 Workaround:
Rollback to Quarkus 3.24.5, where the --user option was correctly injected and native builds succeed.
Expected behavior
Allow overriding the --user option via a documented property.
Provide a way to disable automatic UID/GID injection entirely.
Clarify or suppress new warnings if they are not actionable.
Actual behavior
In 3.25.0, the same command is now missing the --user flag, resulting in:
Fatal error: jdk.vm.ci.common.JVMCIError: java.nio.file.AccessDeniedException: /project/svm_err_*.md
How to Reproduce?
🧪 Environment:
CI: GitLab CI
OS: Ubuntu-based Docker-in-Docker
Builder image: quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21
UID/GID inside CI container: 645:1000
Native build target: static, musl, x86_64
Output of uname -a or ver
No response
Output of java -version
21
Mandrel or GraalVM version (if different from Java)
quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21
Quarkus version or git rev
3.25.0
Build tool (ie. output of mvnw --version or gradlew --version)
maven
Additional information
🔍 Investigation:
The issue appears to originate from this commit: 🔗 1e04d63
🧩 Workaround:
Rollback to Quarkus 3.24.5, where the --user option was correctly injected and native builds succeed.