Skip to content

fix(gateway-builder,cli): stage python-executor inside builder container#2727

Merged
Krishanx92 merged 1 commit into
wso2:mainfrom
renuka-fernando:gateway-image-build-rootful-docker-fix
Jul 17, 2026
Merged

fix(gateway-builder,cli): stage python-executor inside builder container#2727
Krishanx92 merged 1 commit into
wso2:mainfrom
renuka-fernando:gateway-image-build-rootful-docker-fix

Conversation

@renuka-fernando

Copy link
Copy Markdown
Contributor

Purpose

Gateway image build fails with permission denied on Linux machines using a rootful Docker daemon. The gateway-builder container runs as root and writes output files owned by root:root into the bind-mounted temp workspace. The CLI then tries to copy python-executor/ into output/gateway-runtime/ on the host — a root-owned directory — and fails.

Resolves #2675

Goals

Move all post-build file staging into the gateway-builder container itself, so the CLI never needs to touch root-owned output files after the container exits.

Approach

  • Add fsutil.CopyDir to the shared gateway-builder/pkg/fsutil package (also eliminates the duplicate private copyDir in policyengine/generator.go)
  • In gateway-builder/cmd/builder/main.go, stage output/python-executor/output/gateway-runtime/python-executor/ inside the container after Dockerfile generation — same pattern already used for build-manifest.yaml into the controller context
  • Remove ensurePythonExecutorInRuntimeContext and ensureBuildLockInControllerContext from the CLI entirely; the CLI no longer touches the output directory after the builder exits
  • Works on all platforms and Docker modes with no OS-level detection

User stories

As a developer using a rootful Docker daemon on Linux, ap gateway image build should complete successfully without permission errors.

Documentation

N/A

Automation tests

  • Unit tests: existing gateway-builder unit tests continue to pass; fsutil.CopyDir follows the same pattern as the existing private copyDir
  • Integration tests: N/A (requires a rootful Docker Linux environment to reproduce)

Security checks

Samples

N/A

Related PRs

N/A

Test environment

  • Linux (Ubuntu) with rootful Docker daemon

When using a rootful Docker daemon on Linux, the gateway-builder
container runs as root and creates output/ files owned by root:root.
The CLI's post-build steps (ensurePythonExecutorInRuntimeContext,
ensureBuildLockInControllerContext) then fail with permission denied
when trying to write into those root-owned directories.

- Move python-executor staging into gateway-builder (main.go) so all
  file operations happen inside the container where root has full access
- Add fsutil.CopyDir to the shared fsutil package (eliminates the
  duplicate private copyDir in policyengine/generator.go)
- Remove ensurePythonExecutorInRuntimeContext and
  ensureBuildLockInControllerContext from the CLI entirely; the CLI
  no longer touches the output directory after the builder exits

Fixes: wso2#2675
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@renuka-fernando, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a33f5710-08a2-4d88-9c8f-09e8db2127c6

📥 Commits

Reviewing files that changed from the base of the PR and between 90ba4ba and a5bacfa.

📒 Files selected for processing (3)
  • cli/src/internal/gateway/docker_build.go
  • gateway/gateway-builder/cmd/builder/main.go
  • gateway/gateway-builder/pkg/fsutil/path_validation.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Krishanx92
Krishanx92 merged commit a88f7a3 into wso2:main Jul 17, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Gateway image build fails with rooted docker

2 participants