SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(linux/build): bind only config.json, not whole /root/.docker (M1.1 iter20)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Successful in 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m24s
Details

Browse Source 
Run #4267 finally got the bind mount through (Merged Binds includes
/root/.docker:/root/.docker:ro), but docker build then died:

    failed to update builder last activity time:
    open /root/.docker/buildx/activity/.tmp-...: read-only file system

The catthehacker job container uses buildx, which writes activity
tracking to /root/.docker/buildx/. Mounting the whole host /root/.docker
read-only made that path read-only too.

Right scope is the file, not the dir:
    -v /root/.docker/config.json:/root/.docker/config.json:ro

That gives the cli the registry auth it needs while leaving the rest
of /root/.docker on the container's writable overlay so buildx can
populate its own activity dir without colliding with the host's. Also
matches the principle of mounting the minimum the secret requires.

valid_volumes entry updated to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-05-07 17:52:35 +01:00
parent ced77e305f
commit ec942b7698
1 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
linux/build/runner/config.yaml
View File

@@ -24,19 +24,25 @@ container:
valid_volumes:
- /cache
- /var/run/docker.sock
- /root/.docker
- /root/.docker/config.json
# `options` is applied on top of act_runner's default per-job-container
# docker run args. /var/run/docker.sock is auto-mounted by act_runner
# already; listing it here a second time triggers
# "Duplicate mount point" on container create. So options carries ONLY
# the bind that act_runner doesn't know about: the host's
# docker-registry.silverlabs.uk credentials at /root/.docker, which
# catthehacker/ubuntu:act-latest reads from /root/.docker/config.json
# for `docker push`. Without it the push fails with "no basic auth
# credentials" even though `docker build` over the DooD socket works
# fine. /cache stays in valid_volumes (workflow-requestable) but
# doesn't need an unconditional mount.
options: -v /root/.docker:/root/.docker:ro
# what act_runner doesn't provide: the host's docker-registry.silverlabs.uk
# credentials, which catthehacker/ubuntu:act-latest's docker-cli reads
# from /root/.docker/config.json for `docker push`. Without it the push
# fails with "no basic auth credentials" even though `docker build`
# over the DooD socket works fine.
#
# We mount the FILE (not the directory) read-only:
# - ro is essential — config.json is the host's actual creds file.
# - file-only (not /root/.docker:ro) keeps /root/.docker writable on the
# container's own overlay so buildx can write its activity tracking
# to /root/.docker/buildx/. Mounting the whole dir :ro broke run #4267
# with "failed to update builder last activity time: …read-only
# file system".
options: -v /root/.docker/config.json:/root/.docker/config.json:ro
# Cache the silvermetal-builder image locally after first pull. Bumping
# the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
force_pull: false