fix(gateway-builder,cli): stage python-executor inside builder container#2727
Conversation
When using a rootful Docker daemon on Linux, the gateway-builder container runs as root and creates output/ files owned by root:root. The CLI's post-build steps (ensurePythonExecutorInRuntimeContext, ensureBuildLockInControllerContext) then fail with permission denied when trying to write into those root-owned directories. - Move python-executor staging into gateway-builder (main.go) so all file operations happen inside the container where root has full access - Add fsutil.CopyDir to the shared fsutil package (eliminates the duplicate private copyDir in policyengine/generator.go) - Remove ensurePythonExecutorInRuntimeContext and ensureBuildLockInControllerContext from the CLI entirely; the CLI no longer touches the output directory after the builder exits Fixes: wso2#2675
|
Warning Review limit reached
Next review available in: 39 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Purpose
Gateway image build fails with
permission deniedon Linux machines using a rootful Docker daemon. The gateway-builder container runs as root and writes output files owned byroot:rootinto the bind-mounted temp workspace. The CLI then tries to copypython-executor/intooutput/gateway-runtime/on the host — a root-owned directory — and fails.Resolves #2675
Goals
Move all post-build file staging into the gateway-builder container itself, so the CLI never needs to touch root-owned output files after the container exits.
Approach
fsutil.CopyDirto the sharedgateway-builder/pkg/fsutilpackage (also eliminates the duplicate privatecopyDirinpolicyengine/generator.go)gateway-builder/cmd/builder/main.go, stageoutput/python-executor/→output/gateway-runtime/python-executor/inside the container after Dockerfile generation — same pattern already used forbuild-manifest.yamlinto the controller contextensurePythonExecutorInRuntimeContextandensureBuildLockInControllerContextfrom the CLI entirely; the CLI no longer touches the output directory after the builder exitsUser stories
As a developer using a rootful Docker daemon on Linux,
ap gateway image buildshould complete successfully without permission errors.Documentation
N/A
Automation tests
fsutil.CopyDirfollows the same pattern as the existing privatecopyDirSecurity checks
Samples
N/A
Related PRs
N/A
Test environment