Search code examples
dockerbazelbazel-rulesbazel-aspectrules-oci

Can't load image tarball into Docker because Docker wants root user but Bazel wants non-root user

Context

I want to use Bazel to build Docker images. I'm using rules_oci, which Bazel recommends for this use case.

The rule of interest is oci_tarball. Running bazel build would create a tarball that can be loaded in by Docker. You can use bazel run to have Bazel do it on your behalf.

the oci_image target can be loaded into the daemon by running bazel build :tarball, docker load -i bazel-bin/tarball/tarball.tar respectively.

Explanation

I see no way to load the image tarball into Docker successfully because of a catch-22:

  • Docker requires the root user to load the tarball using bazel run.
  • Bazel's hermetic Python interpreter refuses to run as root.

Reproducing my issue

My machine is an M2 Sonoma 14.5 Macintosh. However, I imagine that the same problem would manifest on a Linux machine.

Check out my small PR (the first PR in my repo). I say "small" despite the 2,814 lines added because most of the lines come from the MODULE.bazel.lock file, which you can freely ignore.

Install Bazelisk using Homebrew and Docker Desktop. Sorry if I'm forgetting some dependencies.

Go to the repository directory and run bazel run //abacus/genesis:genesis to see the non-root user output or sudo bazel run //abacus/genesis:genesis to see the root user output.

Output

Non-root user

➜  monorepo-alpha git:(jalvarado/poc) bazel run //abacus/genesis:genesis
INFO: Analyzed target //abacus/genesis:genesis (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //abacus/genesis:genesis up-to-date:
  bazel-bin/abacus/genesis/genesis/tarball.spec
INFO: Elapsed time: 0.105s, Critical Path: 0.00s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Running command line: bazel-bin/abacus/genesis/genesis.sh
Cannot connect to the Docker daemon at unix:///Users/josalvatorre/.docker/run/docker.sock. Is the docker daemon running?
tar: (null)

Root user

➜  monorepo-alpha git:(jalvarado/poc) sudo bazel run //abacus/genesis:genesis
Password:
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Repository rules_python~~python~python_3_11_aarch64-apple-darwin instantiated at:
  <builtin>: in <toplevel>
Repository rule python_repository defined at:
  /private/var/tmp/_bazel_root/5ad888b49df0a0d5e008e30fa7c56d14/external/rules_python~/python/repositories.bzl:381:36: in <toplevel>
ERROR: An error occurred during the fetch of repository 'rules_python~~python~python_3_11_aarch64-apple-darwin':
   Traceback (most recent call last):
    File "/private/var/tmp/_bazel_root/5ad888b49df0a0d5e008e30fa7c56d14/external/rules_python~/python/repositories.bzl", line 197, column 25, in _python_repository_impl
        fail("The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.")
Error in fail: The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.
ERROR: <builtin>: fetching python_repository rule //:rules_python~~python~python_3_11_aarch64-apple-darwin: Traceback (most recent call last):
    File "/private/var/tmp/_bazel_root/5ad888b49df0a0d5e008e30fa7c56d14/external/rules_python~/python/repositories.bzl", line 197, column 25, in _python_repository_impl
        fail("The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.")
Error in fail: The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.
ERROR: no such package '@@rules_python~~python~python_3_11_aarch64-apple-darwin//': The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.
ERROR: /private/var/tmp/_bazel_root/5ad888b49df0a0d5e008e30fa7c56d14/external/rules_pkg~/pkg/private/tar/BUILD:49:10: @@rules_pkg~//pkg/private/tar:build_tar depends on @@rules_python~~python~python_3_11_aarch64-apple-darwin//:python_runtimes in repository @@rules_python~~python~python_3_11_aarch64-apple-darwin which failed to fetch. no such package '@@rules_python~~python~python_3_11_aarch64-apple-darwin//': The current user is root, please run as non-root when using the hermetic Python interpreter. See https://github.com/bazelbuild/rules_python/pull/713.
ERROR: Analysis of target '//abacus/genesis:genesis' failed; build aborted: Analysis failed
INFO: Elapsed time: 15.226s, Critical Path: 0.01s
INFO: 1 process: 1 internal.
ERROR: Build did NOT complete successfully
ERROR: Build failed. Not running target
Solution

  • You need to ensure that your docker is properly installed, running and your account have access to it. The non-root case is simply showing docker daemon is not running.

    use "docker ps" command without root to check docker daemon is running. If it is not running you can start it with your docker desktop app and then you can build the image as non-privileged user.

    Tested on M1 Mac with MacOS 14.5 and container exited with code 0.