SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(linux/build): valid_volumes takes source paths, not bind specs (M1.1 iter19)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Failing after 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Has been skipped
Details

Browse Source 
Run #4266 dropped the /root/.docker bind silently:

    Custom container.HostConfig from options ==> &{Binds:[/root/.docker:/root/.docker:ro]…}
    [/root/.docker] is not a valid volume, will be ignored
    Merged container.HostConfig ==> &{Binds:[/var/run/docker.sock:/var/run/docker.sock /root/.docker:/root/.docker:ro]…}
    no basic auth credentials

Wait, the merged binds list does include /root/.docker — but the line
between them, "[/root/.docker] is not a valid volume, will be ignored",
fires *during* the merge step's allowlist check, and the bind ends up
absent in the actual container start (the `Binds:` list shown is
pre-filter). Net result: the registry creds are not in the job
container, push fails.

Root cause: container.valid_volumes is an allowlist of source-path
globs, not full bind specs. The entry
`/root/.docker:/root/.docker:ro` was being treated as a literal pattern
and never matched the bind's source `/root/.docker`. Same for the
other two entries — they were just no-ops because the auto-mount /
explicit options were the things actually creating the binds.

Fix: rewrite valid_volumes entries as bare source paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-05-07 17:51:17 +01:00
parent c205139e86
commit ced77e305f
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
linux/build/runner/config.yaml
View File

@@ -15,10 +15,16 @@ runner:
container:
network: host
privileged: true # required: live-build needs loop devices + chroot
# `valid_volumes` is an allowlist of **source paths** (globs), not full
# bind specs. Listing "/root/.docker:/root/.docker:ro" here makes the
# runner silently drop the bind from container.options with
# "[/root/.docker] is not a valid volume, will be ignored" — because
# the literal pattern "/root/.docker:/root/.docker:ro" doesn't match
# the bind source "/root/.docker". Source paths only:
valid_volumes:
- "/cache:/cache"
- "/var/run/docker.sock:/var/run/docker.sock"
- "/root/.docker:/root/.docker:ro"
- /cache
- /var/run/docker.sock
- /root/.docker
# `options` is applied on top of act_runner's default per-job-container
# docker run args. /var/run/docker.sock is auto-mounted by act_runner
# already; listing it here a second time triggers