fix(docker-image): ensure base & cache dir at build time

[Gabriel-Ladzaretti]

Changes

Create the default base and cache directories at docker image build time.
This will allow bind mounting cache assets without breaking the expected Renovate directory permissions at runtime.

This assumes that the ubuntu user is part of the root group, which is currently the case.

Context

• Configurable repository cache root directory path #32444

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

[renovate-release]

🎉 This PR is included in version 39.20.4 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 39.20.4

Your semantic-release bot 📦🚀

[MathiasPius]

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.

I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.

Strange that it was working correctly before though...

[viceice]

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.

I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.

Strange that it was working correctly before though...

you should read major update release notes

[MathiasPius]

Just in case someone else hits this issue, it appears this change broke Renovate running as a pod within my cluster with the following error:

FATAL: Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'
       "err": {
         "errno": -13,
         "code": "EACCES",
         "syscall": "mkdir",
         "path": "/tmp/renovate/cache/containerbase",
         "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
         "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
       }
 INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "cJeevw6fsRzpLv6ADr9uP",
           "err": {
             "errno": -13,
             "code": "EACCES",
             "syscall": "mkdir",
             "path": "/tmp/renovate/cache/containerbase",
             "message": "EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'",
             "stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
           },
           "msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase'"
         }
       ]

The only change was me upgrading from 39.20.3 to 39.20.5.
I believe the issue might be caused by me configuring a security context for the pod with user 1000, changing this to 12021 as per the Dockerfile resolved the issue.
Strange that it was working correctly before though...

you should read major update release notes

I only posted it here in case someone else stumbled upon it, it wasn't meant as a critique or a bug report in and of itself, but since you've taken it upon yourself to educate me, could you kindly point me to the major update release note that mentions this breaking change?

I've been using and upgrading Renovate from 37.* up to 39.20.5, and everything was working perfectly fine up until the 39.20.3.

[KUGA2]

This changes breaks my renovate run, but for different but similar reasons. The error message is also:
Fatal error: EACCES: permission denied, mkdir '/tmp/renovate/cache/containerbase

We are running renovate in a Azure devops agent. We have a scheduled agent job. The yml pipeline looks like this:

resources:
  containers:
    - container: renovate
      image: .../renovate/renovate:39.20.4
      endpoint: pkg-docker@production
      options: --user 0

container: renovate

steps:
  - bash: /usr/local/sbin/renovate-entrypoint.sh
    displayName: Run Renovate
    env:
      # Global config
      RENOVATE_PLATFORM: azure
      ...

The first thing that might strike your attention is --user 0. This is necessary because azure devops does some user magic before the jobs begin. It calls groupadd (See) which it cant as user 'ubuntu'.
But thats not the cause of this issue, root has access to /tmp/renovate.

The "user magic" changes the active user of the container to the user of the agent. Therefore it is not ubuntu (uid=12021(ubuntu) gid=0(root) groups=0(root),999(docker),12021(ubuntu)) but AzDevOps_azpcontainer(uid=1001(AzDevOps_azpcontainer) gid=1001(AzDevOps_azpcontainer) groups=1001(AzDevOps_azpcontainer),999(docker),12022(azure_pipelines_sudo)).
That user does not have acces to /tmp/renovate, which is now: drwxrwxr-x 3 root root 4096 Nov 19 10:39 . (before it did not exist and /tmp has public permissions drwxrwxrwt 1 root root 4096 Nov 19 10:39 .).

I have found no good solution to this problem. I will probably no longer use container resources but run the container myself.

Downside: Manual docker run image:tag-version can not be updated by renovate :D. Container resources can.

[viceice]

please open new discussions to resolve your issues