From ec942b7698b0bc88a3050a18b55630e2c6366e0b Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Thu, 7 May 2026 17:52:35 +0100 Subject: [PATCH] fix(linux/build): bind only config.json, not whole /root/.docker (M1.1 iter20) Run #4267 finally got the bind mount through (Merged Binds includes /root/.docker:/root/.docker:ro), but docker build then died: failed to update builder last activity time: open /root/.docker/buildx/activity/.tmp-...: read-only file system The catthehacker job container uses buildx, which writes activity tracking to /root/.docker/buildx/. Mounting the whole host /root/.docker read-only made that path read-only too. Right scope is the file, not the dir: -v /root/.docker/config.json:/root/.docker/config.json:ro That gives the cli the registry auth it needs while leaving the rest of /root/.docker on the container's writable overlay so buildx can populate its own activity dir without colliding with the host's. Also matches the principle of mounting the minimum the secret requires. valid_volumes entry updated to match. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/runner/config.yaml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/linux/build/runner/config.yaml b/linux/build/runner/config.yaml index f60b774..3fce76d 100644 --- a/linux/build/runner/config.yaml +++ b/linux/build/runner/config.yaml @@ -24,19 +24,25 @@ container: valid_volumes: - /cache - /var/run/docker.sock - - /root/.docker + - /root/.docker/config.json # `options` is applied on top of act_runner's default per-job-container # docker run args. /var/run/docker.sock is auto-mounted by act_runner # already; listing it here a second time triggers # "Duplicate mount point" on container create. So options carries ONLY - # the bind that act_runner doesn't know about: the host's - # docker-registry.silverlabs.uk credentials at /root/.docker, which - # catthehacker/ubuntu:act-latest reads from /root/.docker/config.json - # for `docker push`. Without it the push fails with "no basic auth - # credentials" even though `docker build` over the DooD socket works - # fine. /cache stays in valid_volumes (workflow-requestable) but - # doesn't need an unconditional mount. - options: -v /root/.docker:/root/.docker:ro + # what act_runner doesn't provide: the host's docker-registry.silverlabs.uk + # credentials, which catthehacker/ubuntu:act-latest's docker-cli reads + # from /root/.docker/config.json for `docker push`. Without it the push + # fails with "no basic auth credentials" even though `docker build` + # over the DooD socket works fine. + # + # We mount the FILE (not the directory) read-only: + # - ro is essential — config.json is the host's actual creds file. + # - file-only (not /root/.docker:ro) keeps /root/.docker writable on the + # container's own overlay so buildx can write its activity tracking + # to /root/.docker/buildx/. Mounting the whole dir :ro broke run #4267 + # with "failed to update builder last activity time: …read-only + # file system". + options: -v /root/.docker/config.json:/root/.docker/config.json:ro # Cache the silvermetal-builder image locally after first pull. Bumping # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically. force_pull: false