Dockerfile build error from container: Cannot change ownership to uid 1515433866, gid 1896053708

[flarcher]

Hello,

I get an error when building my docker image including awslambdaric from a container. I do not get any error when building the image using my locally installed docker daemon, but I get the errors either:

• from a CI system based on containers or
• when building the image from a container (like docker:dind-rootless).

Here is the related part of my Dockerfile:

# Install aws-lambda-cpp build dependencies
RUN apt-get update && \
    apt-get -qq -y --no-install-recommends -o=Dpkg::Use-Pty=0 install \
      g++ make cmake unzip curl \
      autoconf automake libtool \
      libcurl4-openssl-dev libexecs-dev

# Install the runtime interface client and dependencies
COPY pip-requirements.txt /root/pip-requirements2.txt
RUN pip3 install \
  --no-color --progress-bar=off \
  -r /root/pip-requirements2.txt

Here are the pip requirements of the file /root/pip-requirements2.txt (no issue about cfnresponse):

cfnresponse==1.1.1
awslambdaric==1.1.0

The related Dockerfile steps are run as USER root (it might be important as I understand it).

Here are the errors in logs (I skipped some lines in between, but there is actually a line for each extracted file):

  Collecting awslambdaric==1.1.0 (from -r /root/pip-requirements2.txt (line 2))
    Downloading https://files.pythonhosted.org/packages/03/ac/39ef8ba3b686158eea790f3ba20172a119cf46b0d979d09c5195e9330c01/awslambdaric-1.1.0.tar.gz (3.2MB)
      Complete output from command python setup.py egg_info:
      tar: aws-lambda-cpp-0.2.6/packaging: Cannot change ownership to uid 1515433866, gid 1896053708: Invalid argument
	  (...)
      tar: aws-lambda-cpp-0.2.6: Cannot change ownership to uid 1515433866, gid 1896053708: Invalid argument
      tar: Exiting with failure status due to previous errors
      Traceback (most recent call last):
        File "<string>", line 1, in <module>
        File "/tmp/pip-install-x68d2cne/awslambdaric/setup.py", line 94, in <module>
          ext_modules=get_runtime_client_extension(),
        File "/tmp/pip-install-x68d2cne/awslambdaric/setup.py", line 45, in get_runtime_client_extension
          extra_link_args=get_curl_extra_linker_flags(),
        File "/tmp/pip-install-x68d2cne/awslambdaric/setup.py", line 18, in get_curl_extra_linker_flags
          check_call(["./scripts/preinstall.sh"])
        File "/usr/lib/python3.7/subprocess.py", line 347, in check_call
          raise CalledProcessError(retcode, cmd)
      subprocess.CalledProcessError: Command '['./scripts/preinstall.sh']' returned non-zero exit status 2.

Here is my understanding:

• The behavior of the tar command depends if the caller is root or not.
• And it seems to me that there is a limitation related to UIDs and GIDs that can be used in a container like explained in this article from CircleCI.

I plan to test a change with the use of the --no-same-owner option along with the tar commands involved in preinstall.sh. Does it sound good to you? Am I missing something ?

Thanks

[flarcher]

Hello,

Here is an experiment that seems to be a viable workaround:

• I define a new file tar.sh acting as a wrapper for the tar binary:

#!/bin/bash
/opt/bin/tar "${@}" --no-same-owner

• I add these lines before the install of awslambdaric Python module:

# Changing default tar options
# (as a workaround for https://github.com/aws/aws-lambda-python-runtime-interface-client/issues/37)
RUN mkdir -p /opt/bin && \
  mv /bin/tar /opt/bin/
COPY tar.sh /bin/tar
RUN chmod 755 /bin/tar

• And this line after the install

# Revert the change on tar
RUN rm -f /bin/tar && mv /opt/bin/tar /bin/

With these changes, the docker build becomes a success 🎉
And it seems that the --no-same-owner option for the tar command can indeed solve the issue.
However, the Dockerfile does not look good in my example😐

[flarcher]

Another idea would be to use lower UID/GID for the ownership information of files inside the TAR file.
I suggest to use UID/GID bigger than 1000 but also less than 65535.