fix(docker): Resolve liburing.so.2 loading error for non-root users

Container failed to start when running as non-root (user 1000:1000) because copied directories had restrictive 770 permissions, likely due to different umask in persistent BuildKit. Non-root users couldn't access /usr/lib to load required dynamic libraries. Adds --chmod=755 to all COPY commands to explicitly set permissions and improves library extraction with robust lddtree processing. Also fixes workflow syntax error and removes docker/** from paths-ignore to ensure Docker changes trigger CI builds.
2025-09-09 19:13:03 +02:00 · 2025-09-07 13:21:58 +01:00 · 2025-09-07 13:21:58 +01:00 · a9c1d165d7
commit a9c1d165d7
parent 1a3107c20a
2 changed files with 23 additions and 16 deletions
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@ -11,7 +11,6 @@ on:
      - ".gitignore"
      - "renovate.json"
      - "pkg/**"
-      - "docker/**"
      - "docs/**"
  push:
    branches:
@ -23,7 +22,6 @@ on:
      - ".gitignore"
      - "renovate.json"
      - "pkg/**"
-      - "docker/**"
      - "docs/**"
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
@ -199,7 +197,7 @@ jobs:
          context: .
          file: "docker/Dockerfile"
          build-args: |
-            GIT_COMMIT_HASH=${{ github.sha }})
+            GIT_COMMIT_HASH=${{ github.sha }}
            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
            GIT_REMOTE_URL=${{github.event.repository.html_url }}
            GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -199,14 +199,23 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
 EOF

 # Extract dynamically linked dependencies
-RUN <<EOF
+RUN <<'DEPS_EOF'
    set -o xtrace
-    mkdir /out/libs
-    mkdir /out/libs-root
+    mkdir /out/libs /out/libs-root
+
+    # Process each binary
    for BINARY in /out/sbin/*; do
-        lddtree "$BINARY" | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | awk '{print "install", "-D", $1, (($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2)}' | xargs -I {} sh -c {}
+        if lddtree_output=$(lddtree "$BINARY" 2>/dev/null) && [ -n "$lddtree_output" ]; then
+            echo "$lddtree_output" | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | \
+                awk '{dest = ($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2; print "install -D " $1 " " dest}' | \
+                while read cmd; do eval "$cmd"; done
+        fi
    done
-EOF
+
+    # Show what will be copied to runtime
+    echo "=== Libraries being copied to runtime image:"
+    find /out/libs* -type f 2>/dev/null | sort || echo "No libraries found"
+DEPS_EOF

 FROM scratch

@ -215,16 +224,16 @@ WORKDIR /
 # Copy root certs for tls into image
 # You can also mount the certs from the host
 # --volume /etc/ssl/certs:/etc/ssl/certs:ro
-COPY --from=base /etc/ssl/certs /etc/ssl/certs
-
-# Copy our build
-COPY --from=builder /out/sbin/ /sbin/
-# Copy SBOM
-COPY --from=builder /out/sbom/ /sbom/
+COPY --chmod=755 --from=base /etc/ssl/certs /etc/ssl/certs

 # Copy dynamic libraries to root
-COPY --from=builder /out/libs-root/ /
-COPY --from=builder /out/libs/ /usr/lib/
+COPY --chmod=755 --from=builder /out/libs-root/ /
+COPY --chmod=755 --from=builder /out/libs/ /usr/lib/
+
+# Copy our build
+COPY --chmod=755 --from=builder /out/sbin/ /sbin/
+# Copy SBOM
+COPY --chmod=755 --from=builder /out/sbom/ /sbom/

 # Inform linker where to find libraries
 ENV LD_LIBRARY_PATH=/usr/lib