Skip to content

Don't force image builder to clean-in-docker #830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Don't force image builder to clean-in-docker #830

wants to merge 1 commit into from

Conversation

Kern--
Copy link
Contributor

@Kern-- Kern-- commented Jul 31, 2025
edited
Loading

Issue #, if available:

Description of changes:

FCCD's `make clean` used to call `make clean-in-docker` for the image
builder. The image builder builds a docker image if necessary, then
mounts all the directories and calls clean. This is because some of the
resources were built in docker which may be owned by root.

On the buildkite runners, make clean is run as root because some of the
subdirectores need root permission to clean appropriately. This was causing
docker to build an image and to create a buildkit lock as root which caused
subsequent steps in the pipeline to fail if they tried to build a container
as non-root.

The solution here is to call the image builder's regular clean target
which will directly delete resources if it is root, otherwise it will
call clean-in-docker. Thist way, the clean will not need to create a
container to do the cleanup and will not create a lock as root.

An alternative would be to go through all the subdirectories' clean
targets to make sure they have an equivalent clean-in-docker that is
only run if the clean target is run as root. This would be a good follow
up once tests are passing again.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@Kern-- Kern-- requested a review from a team as a code owner July 31, 2025 22:23
@Kern-- Kern-- changed the title Run buildkite clean as non-root Don't force image builder to clean-in-docker Aug 1, 2025
@Kern--
Don't force image builder to clean-in-docker
8722f6c 
FCCD's `make clean` used to call `make clean-in-docker` for the image
builder. The image builder builds a docker image if necessary, then
mounts all the directories and calls clean. This is because some of the
resources were built in docker which may be owned by root.

On the buildkite runners, make clean is run as root because some of the
subdirectores need root permission to clean appropriately. This was causing
docker to build an image and to create a buildkit lock as root which caused
subsequent steps in the pipeline to fail if they tried to build a container
as non-root.

The solution here is to call the image builder's regular clean target
which will directly delete resources if it is root, otherwise it will
call clean-in-docker. Thist way, the clean will not need to create a
container to do the cleanup and will not create a lock as root.

An alternative would be to go through all the subdirectories' clean
targets to make sure they have an equivalent clean-in-docker that is
only run if the clean target is run as root. This would be a good follow
up once tests are passing again.

Signed-off-by: Kern Walster <walster@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sondavidb sondavidb sondavidb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kern-- @sondavidb