Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of gcr.io/bazel-public/bazel:5.2.0 in Cloud Build is more restrictive than released images in marketplace.gcr.io/google/bazel #1395

Closed
tetsuok opened this issue Aug 1, 2022 · 3 comments
Closed

Use of gcr.io/bazel-public/bazel:5.2.0 in Cloud Build is more restrictive than released images in marketplace.gcr.io/google/bazel #1395

tetsuok opened this issue Aug 1, 2022 · 3 comments

Comments

@tetsuok
Copy link
Contributor

tetsuok commented Aug 1, 2022
edited
Loading

Docker image, gcr.io/bazel-public/bazel:5.2.0 (created by bazel/oci/Dockerfile based on #1290) was supposed to be compatible with previously released images in marketplace.gcr.io/google/bazel, but it seems not compatible. gcr.io/bazel-public/bazel:5.2.0 runs as non-root user whereas the previous images run as root. Updating Cloud Build CI pipelines that use the previously released images to gcr.io/bazel-public/bazel:5.2.0 results in permission issues when Bazel tries to create output files under /builder/home/.cache. This requires extra efforts to users (See below). I'm wondering whether this repository provides Docker images more compatible with the previously released images so that users of Cloud Build can smoothly update Bazel Docker images with 5.2.0 or newer.

Here is an incomplete list of extra efforts required when using gcr.io/bazel-public/bazel:5.2.0 in Cloud Build:

  • With gcr.io/bazel-public/bazel:5.2.0, users need to run bazel with --output_user_root and --symlink_prefix= (because /workspace is not writable).
  • With gcr.io/bazel-public/bazel:5.2.0, it is more challenging to push Docker images built with Bazel (e.g., container_image rule in rules_docker). It is very tricky to tag built images because gcr.io/bazel-public/bazel:5.2.0 doesn't install docker whereas the previously released images do (we would like to use Docker command instead of using container_push rule since it modifies external resource via bazel run). This limitation suggests us to invoke the docker command in a different build step such as gcr.io/cloud-builders/docker:latest along with user-defined volumes to persist Bazel outputs, but that's also tricky since creating user-defined volume under / requires root permission, but gcr.io/bazel-public/bazel:5.2.0 is ran as non-root.
@tetsuok
Copy link
Contributor Author

tetsuok commented Aug 17, 2022

Closing as rules_python 0.11.0 requires Bazel to run as non-root and I figured it out how to deal with this in Cloud Build.

@tetsuok tetsuok closed this as completed Aug 17, 2022
@tKe
Copy link

tKe commented Oct 18, 2022
edited
Loading

Closing as rules_python 0.11.0 requires Bazel to run as non-root and I figured it out how to deal with this in Cloud Build.

@tetsuok Are you able to share the workaround for running the non-root image in Cloud Build?

@tetsuok
Copy link
Contributor Author

tetsuok commented Oct 20, 2022

@tKe unfortunately, nope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tKe @tetsuok