When running CI locally with src/ci/docker/run.sh bootstrap can't access git history, requires a local LLVM build

[saethlin]

I have this totally normal config:

[llvm]
assertions = true
download-ci-llvm = true

Then I want to run

bash src/ci/docker/run.sh --dev x86_64-gnu-llvm-16

Then inside the container,

../x test tests/debuginfo

Bootstrap is compiled, but then emits this:

error: could not find commit hash for downloading LLVM
HELP: maybe your repository history is too shallow?
HELP: consider disabling `download-ci-llvm`
HELP: or fetch enough history to include one upstream commit
thread 'main' panicked at src/core/build_steps/llvm.rs:171:9:
explicit panic
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Build completed unsuccessfully in 0:00:12

My repository history is not too shallow. The only way to use the CI scripts seems to be to set download-ci-llvm = false.

The reason download-ci-llvm doesn't work seems to be the ownership of the mount:

root@55b05415ad9e:/checkout/obj# git log -n1
fatal: detected dubious ownership in repository at '/checkout'
To add an exception for this directory, call:

	git config --global --add safe.directory /checkout

So maybe this is an easy fix? Can we just run that somewhere? It seems to work, I'm just not sure where it would be run.

[bjorn3]

That script should set the uid of the processes inside the container to match what you use outside of the container and thus who owns the source repo:

rust/src/ci/docker/run.sh

Lines 238 to 245 in 9d49eb7

	if [[ "$id" != 0 && "$(docker version)" =~ Podman ]]; then
	# Rootless podman creates a separate user namespace, where an inner
	# LOCAL_USER_ID will map to a different subuid range on the host.
	# The "keep-id" mode maps the current UID directly into the container.
	args="$args --env NO_CHANGE_USER=1 --userns=keep-id"
	else
	args="$args --env LOCAL_USER_ID=$id"
	fi

If you use podman, are you maybe using a version of podman which doesn't contain the literal string Podman in docker version? And can you run id outside and inside the container?

[saethlin]

I am not using Podman

[saethlin]

Outside the container:

uid=1000(ben) gid=1000(ben) groups=1000(ben),973(docker),993(input),995(audio),998(wheel)

After ./src/ci/docker/run.sh --dev x86_64-gnu-llvm-16

uid=0(root) gid=0(root) groups=0(root)

[onur-ozkan]

I assume this is related with your docker privileges (the user group assigned on docker). Can't reproduce this on my side.

[saethlin]

That seems reasonable? What should that be instead?

[onur-ozkan]

#119165 should be able to handle this

[saethlin]

That's very nice of you, but if I have a scuffed Docker setup on my dev machine I'd like to know in what way it's scuffed if you don't mind 😅

[onur-ozkan]

By default, docker runs under root mode, and I believe this is the main issue here. On the other hand, podman runs in rootless mode by default:

ubuntu@1b5e08672118:/checkout/obj$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)

I was able to reproduce the problem by running podman under root privileges. I believe the problem here is more related to the nature of docker rather than an issue with your docker setup.

[bjorn3]

The snippet I mentioned in #118930 (comment) should ensure that the programs inside the container run as the same user as the one with which src/ci/docker/run.sh was invoked.

[onur-ozkan]

The snippet I mentioned in #118930 (comment) should ensure that the programs inside the container run as the same user as the one with which src/ci/docker/run.sh was invoked.

And when the user is root (e.g., running the script with root user), you get fatal: detected dubious ownership in repository at '/checkout'.