Building on linux (Ubuntu)... getting permission problems (due to Docker running as root?)

[mflint]

Expected behavior

I'd like to be able to build the lambdas for Arm using a Linux host, because a buying a chonky Raspberry Pi is much cheaper than a new MacBook with Apple Silicon:

swift package archive --allow-network-connections docker

Actual behavior

The archiving stage fails with a permission error:

  {lots of build output deleted}

  [495/497] Compiling SuggestionGetFunction SuggestionGet.swift
  [495/497] Write Objects.LinkFileList
  /usr/lib/swift_static/linux/libFoundationEssentials.a(FoundationEssentials-1.o):FoundationEssentials-1.o:function $s20FoundationEssentials19createTemporaryFile33_FC9EC52B075D2ACCFF86F1C9F84293BELL2at6inPath6prefix7optionss5Int32V_SStSS_AA0Q5OrURLOSSAA4DataV14WritingOptionsVtKFTf4nnnd_n: warning: the use of `mktemp' is dangerous, better use `mkstemp' or `mkdtemp'
/usr/lib/swift_static/linux/libFoundationEssentials.a(FoundationEssentials-1.o):FoundationEssentials-1.o:function $s20FoundationEssentials19createTemporaryFile33_FC9EC52B075D2ACCFF86F1C9F84293BELL2at6inPath6prefix7optionss5Int32V_SStSS_AA0Q5OrURLOSSAA4DataV14WritingOptionsVtKFTf4nnnd_n: warning: the use of `mktemp' is dangerous, better use `mkstemp' or `mkdtemp'
/usr/lib/swift_static/linux/libFoundationEssentials.a(FoundationEssentials-1.o):FoundationEssentials-1.o:function $s20FoundationEssentials19createTemporaryFile33_FC9EC52B075D2ACCFF86F1C9F84293BELL2at6inPath6prefix7optionss5Int32V_SStSS_AA0Q5OrURLOSSAA4DataV14WritingOptionsVtKFTf4nnnd_n: warning: the use of `mktemp' is dangerous, better use `mkstemp' or `mkdtemp'
/usr/lib/swift_static/linux/libFoundationEssentials.a(FoundationEssentials-1.o):FoundationEssentials-1.o:function $s20FoundationEssentials19createTemporaryFile33_FC9EC52B075D2ACCFF86F1C9F84293BELL2at6inPath6prefix7optionss5Int32V_SStSS_AA0Q5OrURLOSSAA4DataV14WritingOptionsVtKFTf4nnnd_n: warning: the use of `mktemp' is dangerous, better use `mkstemp' or `mkdtemp'
/usr/lib/swift_static/linux/libFoundationEssentials.a(FoundationEssentials-1.o):FoundationEssentials-1.o:function $s20FoundationEssentials19createTemporaryFile33_FC9EC52B075D2ACCFF86F1C9F84293BELL2at6inPath6prefix7optionss5Int32V_SStSS_AA0Q5OrURLOSSAA4DataV14WritingOptionsVtKFTf4nnnd_n: warning: the use of `mktemp' is dangerous, better use `mkstemp' or `mkdtemp'
[496/497] Linking SuggestionGetFunction
  Build of product 'SuggestionGetFunction' complete! (482.85s)
-------------------------------------------------------------------------
archiving "SuggestionGetFunction"
-------------------------------------------------------------------------
error: Error Domain=NSCocoaErrorDomain Code=513 "You don’t have permission."
make: *** [Makefile:53: build-single-product] Error 1

(Wild guess: maybe this is due to the Docker container running as root, so the build artefacts are owned by root? ¯\_(ツ)_/¯ )

Steps to reproduce

1. fresh installation of Ubuntu 24.10
2. install make and zip
3. install Swift 6.0.3 from tarball
4. install the Docker engine using their installation docs
5. clone my lambda repo
6. swift package archive --allow-network-connections docker

If possible, minimal yet complete reproducer code (or URL to code)

No response

What version of this project (swift-aws-lambda-runtime) are you using?

38cc01a

Swift version

Swift version 6.0.3 (swift-6.0.3-RELEASE)
Target: aarch64-unknown-linux-gnu
Linux heslop 6.11.0-1005-raspi #5-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 22 13:24:30 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

Amazon Linux 2 docker image version

SWIFT_PLATFORM=amazonlinux2, SWIFT_BRANCH=swift-6.0.3-release

[sebsto]

Hello @mflint Matthew,

Sorry to read you're experiencing this issue.
In my experience, this often happens when building for multiple platforms (Linux and macOS) without a proper cleaning first.

Can you ensure to

• rm -rf .build
• rm Package.resolved

On linux, you might get into problems when docker runs as a different user than your current user (docker typically runs as root)
I'll try to reproduce this issue

[mflint]

I think I can close this - I’ve worked around it by making my own Dockerfile, and putting build steps into a makefile.

You were correct - it was a Docker permissions issue, running as root on Linux.

[sebsto]

Thank you for the feedback.
We have a test on the plugin that runs on Ubuntu + docker in the CI and this test passes. I don't think this is a systemic issue however, I'd like to understand the conditions that trigger this and document it clearly to avoid others to run into the same problem.

[mflint]

Interesting. I’ll look at your test suite to see what’s different with my setup.

[sebsto]

One of the main difference is that the script runs inside a container on Amazon Linux 2. Builds on Amazon Linux do not trigger docker and start swift build directly.
See this line in the code of the plugin.

I started an Ubuntu VM to reproduce your issue.

[sebsto]

I confirm that a docker build (swift package archive) on a fresh install does not work.

Error is

-------------------------------------------------------------------------
building "helloworld" in docker
-------------------------------------------------------------------------
updating "swift:amazonlinux2" docker image
  permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.47/images/create?fromImage=swift&tag=amazonlinux2": dial unix /var/run/docker.sock: connect: permission denied
error: /usr/bin/docker pull swift:amazonlinux2 failed with code 1

This is most probably due because the current user can not read/write the docker shared socket file.

[sebsto]

The solution is to add your current user (ubuntu for me) to the docker group. Do not forget to logout and login again after that change.

sudo usermod -aG docker $USER

Here is the full script I used

#!/bin/bash

sudo apt update && sudo apt -y upgrade

# Install Swift 6.0.3
sudo apt-get -y install \
          binutils \
          git \
          gnupg2 \
          libc6-dev \
          libcurl4-openssl-dev \
          libedit2 \
          libgcc-13-dev \
          libncurses-dev \
          libpython3-dev \
          libsqlite3-0 \
          libstdc++-13-dev \
          libxml2-dev \
          libz3-dev \
          pkg-config \
          tzdata \
          unzip \
          zlib1g-dev

wget https://download.swift.org/swift-6.0.3-release/ubuntu2404-aarch64/swift-6.0.3-RELEASE/swift-6.0.3-RELEASE-ubuntu24.04-aarch64.tar.gz

tar xfvz swift-6.0.3-RELEASE-ubuntu24.04-aarch64.tar.gz

export PATH=/home/ubuntu/swift-6.0.3-RELEASE-ubuntu24.04-aarch64/usr/bin:"${PATH}"

swift --version

# Install Docker
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Add the current user to the docker group
sudo usermod -aG docker $USER

# LOGOUT and LOGIN to apply the changes
exit

# reconnect with ssh, then
export PATH=/home/ubuntu/swift-6.0.3-RELEASE-ubuntu24.04-aarch64/usr/bin:"${PATH}"

# clone a project 
git clone https://github.com/swift-server/swift-aws-lambda-runtime.git

# build the project
cd swift-aws-lambda-runtime/Examples/HelloWorld/
swift package archive --allow-network-connections docker

This produces

swift package archive --allow-network-connections docker

-------------------------------------------------------------------------
building "helloworld" in docker
-------------------------------------------------------------------------
updating "swift:amazonlinux2" docker image
  amazonlinux2: Pulling from library/swift
  Digest: sha256:df06a50f70e2e87f237bd904d2fc48195742ebda9f40b4a821c4d39766434009
Status: Image is up to date for swift:amazonlinux2
  docker.io/library/swift:amazonlinux2
building "MyLambda"
  [0/1] Planning build
  Building for production...
  [0/2] Write swift-version-24593BA9C3E375BF.txt
  Build of product 'MyLambda' complete! (4.78s)
-------------------------------------------------------------------------
archiving "MyLambda"
-------------------------------------------------------------------------
1 archive created
  * MyLambda at /home/ubuntu/swift-aws-lambda-runtime/Examples/HelloWorld/.build/plugins/AWSLambdaPackager/outputs/AWSLambdaPackager/MyLambda/MyLambda.zip

[sebsto]

I have added a Note in the deployment guide.
#455

[mflint]

Thank-you @sebsto, but that's different from the error that I reported. I was seeing problems with the archive stage reading files from the disk. (My user was already in the docker group, and I could successfully connect to the docker socket)

Don't worry about it - I'll do some investigations here :)

[sebsto]

You’re correct. I saw the exact same error on macOS when multiple build attempts from different users or systems. (Docker and native for example)

Can you try again from scratch (after having deleted .build and Package.resolved ?

Is the error systematic ?

[mflint]

@sebsto When building Examples/HelloWorld, I see the same success as you... but I get a permissions error when trying to build Examples/S3_AWSSDK.

Can you try to build S3_AWSSDK please?

cd Examples/S3_AWSSDK
swift package archive --allow-network-connections docker

[sebsto]

@mflint ACK. Will do. Thanks !