aws · mndeveci · Mar 15, 2023 · Dec 14, 2022 · Dec 14, 2022 · Dec 14, 2022
@@ -9,6 +9,7 @@
 
 import click
 
+from samcli.commands.build.utils import prompt_user_to_enable_mount_with_write_if_needed
 from samcli.lib.build.bundler import EsbuildBundlerManager
 from samcli.lib.providers.sam_api_provider import SamApiProvider
 from samcli.lib.telemetry.event import EventTracker
@@ -77,7 +78,7 @@ def __init__(
         locate_layer_nested: bool = False,
         hook_name: Optional[str] = None,
         build_in_source: Optional[bool] = None,
-        mount_with_write: bool = False,
+        mount_with: Optional[str] = None,
     ) -> None:
         """
         Initialize the class
@@ -133,8 +134,8 @@ def __init__(
             Name of the hook package
         build_in_source: Optional[bool]
             Set to True to build in the source directory.
-        mount_with_write: bool
-            Mount source code directory with write permissions when building inside container.
+        mount_with: Optional[str]
+            Mount mode of source code directory when building inside container.
         """
 
         self._resource_identifier = resource_identifier
@@ -174,7 +175,7 @@ def __init__(
         self._locate_layer_nested = locate_layer_nested
         self._hook_name = hook_name
         self._build_in_source = build_in_source
-        self._mount_with_write = mount_with_write
+        self._mount_with = mount_with
 
     def __enter__(self) -> "BuildContext":
         self.set_up()
@@ -238,6 +239,19 @@ def run(self):
 
         self._stacks = self._handle_build_pre_processing()
 
+        # boolean value indicates if mount with write or not, defaults to READ ONLY
+        mount_with_write = False
+        if self._use_container and not self._mount_with:
+            # if self._mount_with is None, means user does not specify mount mode
+            # check the need of mounting with write permissions and prompt user to enable it if needed
+            mount_with_write = prompt_user_to_enable_mount_with_write_if_needed(
+                self.get_resources_to_build(),
+                self.base_dir,
+            )
+        elif self._mount_with:
+            # user specify mount mode using CLI
+            mount_with_write = True if self._mount_with.lower() == "write" else False
+
         try:
             builder = ApplicationBuilder(
                 self.get_resources_to_build(),
@@ -255,7 +269,7 @@ def run(self):
                 build_images=self._build_images,
                 combine_dependencies=not self._create_auto_dependency_layer,
                 build_in_source=self._build_in_source,
-                mount_with_write=self._mount_with_write,
+                mount_with_write=mount_with_write,
             )
         except FunctionNotFound as ex:
             raise UserException(str(ex), wrapped_from=ex.__class__.__name__) from ex

@@ -137,12 +137,11 @@
     "By default the functions and layers are built in sequence",
 )
 @click.option(
-    "--mount-with-write/--mount-with-read",
-    "-w",
-    default=False,
-    is_flag=True,
-    help="Enable mounting with write permissions when building functions/layers inside container. "
-    "Some files in source code directory may be changed or added by the build process. "
+    "--mount-with",
+    "-mw",
+    type=click.Choice(["READ", "WRITE"], case_sensitive=False),
+    help="Optional. Specify mount mode for building functions/layers inside container. "
+    "If mount with write permissions, some files in source code directory may be changed/added by the build process. "
     "By default the source code directory is read only.",
     cls=ContainerOptions,
 )
@@ -185,7 +184,7 @@ def cli(
     config_env: str,
     hook_name: Optional[str],
     skip_prepare_infra: bool,
-    mount_with_write: bool,
+    mount_with: Optional[str],
 ) -> None:
     """
     `sam build` command entry point
@@ -216,7 +215,7 @@ def cli(
         exclude,
         hook_name,
         None,  # TODO: replace with build_in_source once it's added as a click option
-        mount_with_write,
+        mount_with,
     )  # pragma: no cover
 
 
@@ -242,7 +241,7 @@ def do_cli(  # pylint: disable=too-many-locals, too-many-statements
     exclude: Optional[Tuple[str, ...]],
     hook_name: Optional[str],
     build_in_source: Optional[bool],
-    mount_with_write: bool,
+    mount_with: Optional[str],
 ) -> None:
     """
     Implementation of the ``cli`` method
@@ -288,7 +287,7 @@ def do_cli(  # pylint: disable=too-many-locals, too-many-statements
         aws_region=click_ctx.region,
         hook_name=hook_name,
         build_in_source=build_in_source,
-        mount_with_write=mount_with_write,
+        mount_with=mount_with,
     ) as ctx:
         ctx.run()
 

@@ -1,13 +1,65 @@
 """
 Utilities for sam build command
 """
+import pathlib
 
 import click
 
-from samcli.lib.build.workflow_config import CONFIG
+from samcli.lib.build.workflow_config import CONFIG, get_workflow_config
+from samcli.lib.providers.provider import ResourcesToBuildCollector
 
 
-def prompt_user_to_enable_mount_with_write(config: CONFIG, source_dir: str) -> bool:
+def prompt_user_to_enable_mount_with_write_if_needed(
+    resources_to_build: ResourcesToBuildCollector,
+    base_dir: str,
+) -> bool:
+    """
+    First check if mounting with write permissions is needed for building inside container or not. If it is needed, then
+    prompt user to choose if enables mounting with write permissions or not.
+
+    Parameters
+    ----------
+    resources_to_build:
+        Resource to build inside container
+
+    base_dir : str
+        Path to the base directory
+
+    Returns
+    -------
+    bool
+        True, if user enabled mounting with write permissions.
+    """
+
+    functions = resources_to_build.functions
+    layers = resources_to_build.layers
+    runtime = None
+    specified_workflow = None
+    code_uri = None
+
+    if len(functions) > 0:
+        function = functions[0]
+        runtime = function.runtime
+        code_uri = function.codeuri
+        # get specified_workflow if metadata exists
+        metadata = function.metadata
+        specified_workflow = metadata.get("BuildMethod", None) if metadata else None
+    elif len(layers) > 0:
+        layer = layers[0]
+        specified_workflow = layer.build_method
+        code_uri = layer.codeuri
+
+    if code_uri:
+        code_dir = str(pathlib.Path(base_dir, code_uri).resolve())
+        config = get_workflow_config(runtime, code_dir, base_dir, specified_workflow)
+        # prompt if mount with write is needed
+        if config.must_mount_with_write_in_container:
+            return _prompt(config, code_dir)
+
+    return False
+
+
+def _prompt(config: CONFIG, source_dir: str) -> bool:
     """
     Prompt user to choose if enables mounting with write permissions or not when building lambda functions/layers
 
@@ -28,7 +80,7 @@ def prompt_user_to_enable_mount_with_write(config: CONFIG, source_dir: str) -> b
         f"\nBuilding functions with {config.language} inside containers needs "
         f"mounting with write permissions to the source code directory {source_dir}. "
         f"Some files in this directory may be changed or added by the build process. "
-        f"Pass --mount-with-write to `sam build` CLI to avoid this confirmation. "
+        f"Pass `--mount-with WRITE` to `sam build` CLI to avoid this confirmation. "
         f"\nWould you like to enable mounting with write permissions? "
     ):
         return True

@@ -14,7 +14,6 @@
 )
 from aws_lambda_builders.builder import LambdaBuilder
 from aws_lambda_builders.exceptions import LambdaBuilderError
-from samcli.commands.build.utils import prompt_user_to_enable_mount_with_write
 from samcli.lib.build.build_graph import FunctionBuildDefinition, LayerBuildDefinition, BuildGraph
 from samcli.lib.build.build_strategy import (
     DefaultBuildStrategy,
@@ -897,8 +896,6 @@ def _build_function_on_container(
                 "Docker is unreachable. Docker needs to be running to build inside a container."
             )
 
-        if not self._mount_with_write and config.must_mount_with_write_in_container:
-            self._mount_with_write = prompt_user_to_enable_mount_with_write(config, source_dir)
         # If we are printing debug logs in SAM CLI, the builder library should also print debug logs
         log_level = LOG.getEffectiveLevel()
 

@@ -12,10 +12,6 @@ def __init__(self, container_name: str, error_msg: str) -> None:
         Exception.__init__(self, msg.format(container_name=container_name, error_msg=error_msg))
 
 
-class ContainerBuildNotSupported(Exception):
-    pass
-
-
 class BuildError(Exception):
     def __init__(self, wrapped_from: str, msg: str) -> None:
         self.wrapped_from = wrapped_from

@@ -222,38 +222,6 @@ def get_workflow_config(
         ) from ex
 
 
-def supports_build_in_container(config: CONFIG) -> Tuple[bool, Optional[str]]:
-    """
-    Given a workflow config, this method provides a boolean on whether the workflow can run within a container or not.
-
-    Parameters
-    ----------
-    config namedtuple(Capability)
-        Config specifying the particular build workflow
-
-    Returns
-    -------
-    tuple(bool, str)
-        True, if this workflow can be built inside a container. False, along with a reason message if it cannot be.
-    """
-
-    def _key(c: CONFIG) -> str:
-        return str(c.language) + str(c.dependency_manager) + str(c.application_framework)
-
-    # This information could have beeen bundled inside the Workflow Config object. But we this way because
-    # ultimately the workflow's implementation dictates whether it can run within a container or not.
-    # A "workflow config" is like a primary key to identify the workflow. So we use the config as a key in the
-    # map to identify which workflows can support building within a container.
-
-    unsupported: Dict[str, str] = {}
-
-    thiskey = _key(config)
-    if thiskey in unsupported:
-        return False, unsupported[thiskey]
-
-    return True, None
-
-
 def supports_specified_workflow(specified_workflow: str) -> bool:
     """
     Given a specified workflow, returns whether it is supported in container builds,

@@ -175,6 +175,7 @@ def create(self):
         _root_user_id = "0"
         effective_user = EffectiveUser.get_current_effective_user().to_effective_user_str()
         if self._mount_with_write and effective_user and effective_user != _root_user_id:
+            LOG.debug("Detect non-root user, will pass argument '--user %s' to container", effective_user)
             kwargs["user"] = effective_user
 
         if self._container_opts:
@@ -282,6 +283,7 @@ def delete(self):
                 host_tmp_dir_path = pathlib.Path(self._host_tmp_dir)
                 if host_tmp_dir_path.exists():
                     shutil.rmtree(self._host_tmp_dir)
+                    LOG.debug("Successfully removed temporary directory %s on the host.", self._host_tmp_dir)
 
         self.id = None
 
@@ -306,6 +308,7 @@ def start(self, input_data=None):
         # Make tmp dir on the host
         if self._mount_with_write and self._host_tmp_dir and not os.path.exists(self._host_tmp_dir):
             os.mkdir(self._host_tmp_dir)
+            LOG.debug("Successfully created temporary directory %s on the host.", self._host_tmp_dir)
 
         # Get the underlying container instance from Docker API
         real_container = self.docker_client.containers.get(self.id)

@@ -81,7 +81,7 @@ def get_command_list(
         hook_name=None,
         beta_features=None,
         build_in_source=None,
-        mount_with_write=False,
+        mount_with=None,
     ):
 
         command_list = [self.cmd, "build"]
@@ -127,8 +127,8 @@ def get_command_list(
         if build_image:
             command_list += ["--build-image", build_image]
 
-        if mount_with_write:
-            command_list += ["--mount-with-write"]
+        if mount_with:
+            command_list += ["--mount-with", mount_with]
 
         if exclude:
             for f in exclude:

@@ -982,7 +982,7 @@ class TestBuildCommand_Dotnet_cli_package(BuildIntegBase):
         ]
     )
     @pytest.mark.flaky(reruns=3)
-    def test_with_dotnetcore_in_process(self, runtime, code_uri, mode, architecture="x86_64"):
+    def test_dotnetcore_in_process(self, runtime, code_uri, mode, architecture="x86_64"):
         overrides = {
             "Runtime": runtime,
             "CodeUri": code_uri,
@@ -1052,9 +1052,7 @@ def test_with_dotnetcore_in_process(self, runtime, code_uri, mode, architecture=
     )
     @skipIf(SKIP_DOCKER_TESTS or SKIP_DOCKER_BUILD, SKIP_DOCKER_MESSAGE)
     @pytest.mark.flaky(reruns=3)
-    def test_with_dotnetcore_in_container_mount_with_write_explicit(
-        self, runtime, code_uri, mode, architecture="x86_64"
-    ):
+    def test_dotnetcore_in_container_mount_with_write_explicit(self, runtime, code_uri, mode, architecture="x86_64"):
         overrides = {
             "Runtime": runtime,
             "CodeUri": code_uri,
@@ -1066,7 +1064,7 @@ def test_with_dotnetcore_in_container_mount_with_write_explicit(
             self.template_path = self.template_path.replace("template.yaml", "template_build_method_dotnet_7.yaml")
 
         # test with explicit mount_with_write flag
-        cmdlist = self.get_command_list(use_container=True, parameter_overrides=overrides, mount_with_write=True)
+        cmdlist = self.get_command_list(use_container=True, parameter_overrides=overrides, mount_with="write")
         # env vars needed for testing unless set by dotnet images on public.ecr.aws
         cmdlist += ["--container-env-var", "DOTNET_CLI_HOME=/tmp/dotnet"]
         cmdlist += ["--container-env-var", "XDG_DATA_HOME=/tmp/xdg"]
@@ -1127,7 +1125,7 @@ def test_with_dotnetcore_in_container_mount_with_write_explicit(
     )
     @skipIf(SKIP_DOCKER_TESTS or SKIP_DOCKER_BUILD, SKIP_DOCKER_MESSAGE)
     @pytest.mark.flaky(reruns=3)
-    def test_with_dotnetcore_in_container_mount_with_write_interactive(
+    def test_dotnetcore_in_container_mount_with_write_interactive(
         self,
         runtime,
         code_uri,
@@ -1194,7 +1192,25 @@ def test_with_dotnetcore_in_container_mount_with_write_interactive(
     @parameterized.expand([("dotnetcore3.1", "Dotnetcore3.1"), ("dotnet6", "Dotnet6")])
     @skipIf(SKIP_DOCKER_TESTS or SKIP_DOCKER_BUILD, SKIP_DOCKER_MESSAGE)
     @pytest.mark.flaky(reruns=3)
-    def test_must_fail_on_container_mount_without_write(self, runtime, code_uri):
+    def test_must_fail_on_container_mount_without_write_explicit(self, runtime, code_uri):
+        use_container = True
+        overrides = {
+            "Runtime": runtime,
+            "CodeUri": code_uri,
+            "Handler": "HelloWorld::HelloWorld.Function::FunctionHandler",
+        }
+        cmdlist = self.get_command_list(use_container=use_container, parameter_overrides=overrides, mount_with="read")
+
+        LOG.info("Running Command: {}".format(cmdlist))
+        process_execute = run_command(cmdlist, cwd=self.working_dir)
+
+        # Must error out, because mounting with write is not allowed
+        self.assertEqual(process_execute.process.returncode, 1)
+
+    @parameterized.expand([("dotnetcore3.1", "Dotnetcore3.1"), ("dotnet6", "Dotnet6")])
+    @skipIf(SKIP_DOCKER_TESTS or SKIP_DOCKER_BUILD, SKIP_DOCKER_MESSAGE)
+    @pytest.mark.flaky(reruns=3)
+    def test_must_fail_on_container_mount_without_write_interactive(self, runtime, code_uri):
         use_container = True
         overrides = {
             "Runtime": runtime,

@@ -985,7 +985,7 @@ def test_run_build_context(
             build_images={},
             create_auto_dependency_layer=auto_dependency_layer,
             build_in_source=False,
-            mount_with_write=False,
+            mount_with="Read",
         ) as build_context:
             build_context.run()