rake docker:build errors out with "Errno::EACCES: Permission denied @ rb_sysopen - config/database.yml"

[oSoMoN]

(this looks similar to #15659, but a different path is mentioned)

I'm following the instructions in CONTRIBUTING.md to set up a development environment, and the invokation of rake docker:build fails with the following error:

[osomon@localhost ~/src/open-build-service]$ rake docker:build 
git config commit.template .gitmessage
touch docker-files/home/.bash_history docker-files/home/.irb_history docker-files/home/.pry_history
cat << EOF > docker-compose.override.yml
# This file is generated by our Rakefile. Do not change it!
services:
  frontend:
    build:
      args:
        CONTAINER_USERID: 1000

    volumes:
      - ./docker-files/home/.bash_history:/home/frontend/.bash_history:Z
      - ./docker-files/home/.irb_history:/home/frontend/.irb_history:Z
      - ./docker-files/home/.pry_history:/home/frontend/.pry_history:Z
      - ./docker-files/home/.irbrc:/home/frontend/.irbrc:Z
      - ./docker-files/home/.pryrc:/home/frontend/.pryrc:Z
EOF
cat << EOF > docker-compose.minitest-user.yml
# This file is generated by our Rakefile. Do not change it!
services:
  minitest:
    build:
      args:
        CONTAINER_USERID: 1000

EOF
docker compose build --pull frontend
[+] Building 0.2s (15/15) FINISHED                                                                                                          
 => [internal] load .dockerignore                                                                                                      0.0s
 => => transferring context: 53B                                                                                                       0.0s
 => [internal] load build definition from Dockerfile                                                                                   0.0s
 => => transferring dockerfile: 1.60kB                                                                                                 0.0s
 => [internal] load metadata for registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/frontend-features:l  0.1s
 => [ 1/10] FROM registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/frontend-features:latest@sha256:ec8  0.0s
 => [internal] load build context                                                                                                      0.0s
 => => transferring context: 61B                                                                                                       0.0s
 => CACHED [ 2/10] RUN npm install -g jshint                                                                                           0.0s
 => CACHED [ 3/10] RUN gem install --no-format-executable brakeman --version 5.4.0                                                     0.0s
 => CACHED [ 4/10] RUN usermod -u 1000 frontend                                                                                        0.0s
 => CACHED [ 5/10] ADD Gemfile /obs/src/api/Gemfile                                                                                    0.0s
 => CACHED [ 6/10] ADD Gemfile.lock /obs/src/api/Gemfile.lock                                                                          0.0s
 => CACHED [ 7/10] RUN chown -R frontend /obs/src/api                                                                                  0.0s
 => CACHED [ 8/10] WORKDIR /obs/src/api                                                                                                0.0s
 => CACHED [ 9/10] RUN bundle config build.ffi --enable-system-libffi;     bundle config build.nokogiri --use-system-libraries;     b  0.0s
 => CACHED [10/10] RUN bundle install --jobs=3 --retry=3                                                                               0.0s
 => exporting to image                                                                                                                 0.0s
 => => exporting layers                                                                                                                0.0s
 => => writing image sha256:0089cebff1ce4302c9b4902418c72d5de4d760794c8c4dcab165830cf94ea24a                                           0.0s
 => => naming to docker.io/openbuildservice/frontend                                                                                   0.0s
docker compose -f docker-compose.yml -f docker-compose.minitest.yml -f docker-compose.minitest-user.yml build --pull minitest
[+] Building 0.2s (13/13) FINISHED                                                                                                          
 => [internal] load .dockerignore                                                                                                      0.0s
 => => transferring context: 53B                                                                                                       0.0s
 => [internal] load build definition from Dockerfile.minitest                                                                          0.0s
 => => transferring dockerfile: 1.32kB                                                                                                 0.0s
 => [internal] load metadata for registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/frontend-minitest:l  0.1s
 => [1/8] FROM registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/frontend-minitest@sha256:5e12192279f4  0.0s
 => [internal] load build context                                                                                                      0.0s
 => => transferring context: 61B                                                                                                       0.0s
 => CACHED [2/8] RUN usermod -u "1000" frontend                                                                                        0.0s
 => CACHED [3/8] ADD Gemfile /obs/src/api/Gemfile                                                                                      0.0s
 => CACHED [4/8] ADD Gemfile.lock /obs/src/api/Gemfile.lock                                                                            0.0s
 => CACHED [5/8] RUN chown -R frontend /obs/src/api                                                                                    0.0s
 => CACHED [6/8] WORKDIR /obs/src/api                                                                                                  0.0s
 => CACHED [7/8] RUN bundle config build.ffi --enable-system-libffi;     bundle config build.nokogiri --use-system-libraries;     bun  0.0s
 => CACHED [8/8] RUN bundle install --jobs=3 --retry=3                                                                                 0.0s
 => exporting to image                                                                                                                 0.0s
 => => exporting layers                                                                                                                0.0s
 => => writing image sha256:a20387e4455664546b607b320a46033a0045456665760e2d49ffdb2717269eb2                                           0.0s
 => => naming to docker.io/openbuildservice/minitest                                                                                   0.0s
docker compose up -d db
[+] Running 1/1
 ⠿ Container open-build-service-db-1  Started                                                                                          0.2s
docker compose run --no-deps --rm frontend bundle exec rake dev:bootstrap RAILS_ENV=development
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
To use multipart middleware with Faraday v2.0+, install `faraday-multipart` gem; note: this is used by the ManageGHES client for uploading licenses
Setting up the database configuration...
Creating config/config/database.yml from config/config/database.yml.example
rake aborted!
Errno::EACCES: Permission denied @ rb_sysopen - config/database.yml
/obs/src/api/lib/tasks/dev/rake_support.rb:22:in `copy_example_file'
/obs/src/api/lib/tasks/dev.rake:10:in `block (2 levels) in <top (required)>'
/usr/bin/bundle:25:in `load'
/usr/bin/bundle:25:in `<main>'
Tasks: TOP => dev:bootstrap => dev:prepare
(See full trace by running task with --trace)
docker compose stop
[+] Running 4/4
 ⠿ Container open-build-service-db-1       Stopped                                                                                     0.6s
 ⠿ Container open-build-service-cache-1    Stopped                                                                                     0.0s
 ⠿ Container open-build-service-worker-1   Stopped                                                                                     0.0s
 ⠿ Container open-build-service-backend-1  Stopped                                                                                     0.0s
rake aborted!
Command failed with status (1): [docker compose run --no-deps --rm frontend...]
/home/osomon/src/open-build-service/Rakefile:37:in `block (2 levels) in <top (required)>'
Tasks: TOP => docker:build
(See full trace by running task with --trace)

This is on openSUSE Leap 15.5, fully up-to-date, docker version 24.0.7-ce installed from the official SLE 15.5 repository.

I verified that my user is in the docker group, my git clone is clean and my uid inside docker containers matches the one on the host.

[hennevogel]

And with the user with UID 1000 you can write src/api/config/database.yml in your git checkout? Can you provide a bit more context on the filesystem setup and permissions?

[oSoMoN]

I just updated my checkout to b185ecc and I'm still observing the same issue.

I am able to create and write to src/api/config/database.yml in my git checkout:

[osomon@localhost ~/src/open-build-service]$ touch src/api/config/database.yml
[osomon@localhost ~/src/open-build-service]$ echo $?
0
[osomon@localhost ~/src/open-build-service]$ echo "foo bar baz" > src/api/config/database.yml
[osomon@localhost ~/src/open-build-service]$ cat src/api/config/database.yml
foo bar baz
[osomon@localhost ~/src/open-build-service]$ ls -la src/api/config/
total 256
drwxr-xr-x 1 osomon users    528  9 sept. 16:36 .
drwxr-xr-x 1 osomon users    590  9 sept. 16:17 ..
-rw-r--r-- 1 osomon users   6796 30 mai   14:14 application.rb
-rw-r--r-- 1 osomon users    128 30 mai   14:14 boot.rb
-rw-r--r-- 1 osomon users  13662 23 juil. 10:29 brakeman.ignore
-rw-r--r-- 1 osomon users    188 30 mai   14:14 cable.yml
-rw-r--r-- 1 osomon users   2449  3 sept. 13:47 clock.rb
-rw-r--r-- 1 osomon users 172024  3 sept. 13:47 crawler-user-agents.json
-rw-r--r-- 1 osomon users     12  9 sept. 16:37 database.yml
-rw-r--r-- 1 osomon users   1042 30 mai   14:14 database.yml.example
-rw-r--r-- 1 osomon users    896 23 juil. 10:29 environment.rb
drwxr-xr-x 1 osomon users     84 23 juil. 10:29 environments
-rw-r--r-- 1 osomon users    148 30 mai   14:14 feature.yml
drwxr-xr-x 1 osomon users   1208  3 sept. 13:47 initializers
drwxr-xr-x 1 osomon users     42 30 mai   14:14 locales
-rw-r--r-- 1 osomon users   8714 30 mai   14:14 options.yml.example
-rw-r--r-- 1 osomon users   1778 30 mai   14:14 puma.rb
drwxr-xr-x 1 osomon users     28  3 sept. 13:47 routes
-rw-r--r-- 1 osomon users     65 30 mai   14:14 routes.rb
-rw-r--r-- 1 osomon users    965 30 mai   14:14 secrets.yml
-rw-r--r-- 1 osomon users    110 30 mai   14:14 spring.rb
-rw-r--r-- 1 osomon users    134 30 mai   14:14 storage.yml
-rw-r--r-- 1 osomon users    630 23 juil. 14:06 thinking_sphinx.yml.example

Some information on my filesystem setup (pretty much used the defaults when installing openSUSE Leap 15.5):

$ mount | grep home
/dev/nvme0n1p2 on /home type btrfs (rw,relatime,ssd,space_cache,subvolid=263,subvol=/@/home)

$ find . ! -uid 1000
(nothing)

$ find . ! -group users
(nothing)

And about docker:

$ docker --version
Docker version 25.0.6-ce, build b08a51fe16ee

Please let me know if I can provide more useful information.