From 5bb24235bd88a4800d2bd488ae5a53ad484ef2bb Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Thu, 7 May 2026 18:32:00 +0100 Subject: [PATCH] fix(linux/build): tolerate find perm-denied in chroot scan (M1.1 iter24) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎉 Run #4271's Build A actually produced the ISO. derivative-maker ran clean for 15:24: INFO: Script ./derivative-maker completed. Exit Code: 0. Errors Detected: 0. Execution Time: 00:15:24 '/home/user/derivative-binary/.../Kicksecure-CLI-18.1.7.4-developers-only.Intel_AMD64.iso' -> '/workspace/SilverLABS/SilverMetal/build-a/Kicksecure-CLI-18.1.7.4-developers-only.Intel_AMD64.iso' …but build-inner.sh then died on its own post-build collection step: find: '.../live-build/chroot/usr/src': Permission denied find: '.../live-build/chroot/etc/sudoers.d': Permission denied find: '.../live-build/chroot/boot': Permission denied … The chroot's standard hardened subdirs (/usr/src, /etc/sudoers.d, /etc/cron.*, /boot, /root, /run/{sudo,lvm,cryptsetup,openvpn-{client, server}}, cache/bootstrap/root) are 0700 root-owned because the live-build chroot was assembled under sudo. As `user` (uid 1000) we can't descend them. find emits Permission denied on each, exits with status 1, and `set -euo pipefail` in build-inner.sh propagates that through `xargs cp` and aborts — even though the ISO copy itself had already succeeded a few lines earlier in the same xargs stream. Fix: redirect find's stderr to /dev/null and tolerate non-zero exit on both the *.iso and *.manifest scans. build.sh already verifies an ISO landed in BUILD_DIR (exit 4 with "no ISO produced" if not), so a real miss is still caught — we just stop killing the script for the benign unreadable-chroot-subdirs case. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/scripts/build-inner.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh index 4e9ab6d..b9bfa7a 100755 --- a/linux/build/scripts/build-inner.sh +++ b/linux/build/scripts/build-inner.sh @@ -116,10 +116,24 @@ cd "${REPO_ROOT}/linux/build/derivative-maker" # (per help-steps/variables: binary_build_folder_dist=$HOMEVAR/derivative-binary), # *not* into the source tree. Collect from there into BUILD_DIR. # Exact upstream output paths can shift between tags — keep this tolerant. -find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.iso" -print0 \ - | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" +# +# stderr+exit suppression is essential: $HOME/derivative-binary contains +# the live-build chroot, and several of the chroot's own subdirs +# (/usr/src, /etc/sudoers.d, /etc/cron.*, /boot, /root, /run/sudo, +# cache/bootstrap/root, ...) are 0700 root-owned because the chroot +# creation step ran under sudo. As `user` (uid 1000) we can't traverse +# them. find emits "Permission denied" on each and exits non-zero; +# pipefail then kills the entire build script *after* the ISO has +# already been copied — exactly what happened on run #4271 (15:24 +# clean derivative-maker run, ISO produced, build-inner died on this +# pipeline). Suppress and rely on build.sh's host-side +# "no *.iso in BUILD_DIR" check (exit 4) to surface a real miss. +find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.iso" \ + -print0 2>/dev/null \ + | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" || true # Manifest of file metadata that lives inside the ISO. Useful when # diagnosing reproducibility regressions without re-extracting. -find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.manifest" -print0 \ +find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.manifest" \ + -print0 2>/dev/null \ | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" 2>/dev/null || true