GraalVMNativeImage Plugin question

[Reklund3]

I have been working with the GraalVM native image plugin and happened across an issue with file permissions for the exported executable.

OS: Linux Ubuntu Bionic 18.04

When I run graalvm-native-image:packageBin the resulting executable ends up in the projects target folders with permission of root:root instead of my user:group.

Based on the code, my understanding is that the process uses a docker image to build the native image in and then copies the result out to my target folder. I believe that the root permissions are coming from the docker containers permissions that are being applied to the built executable before being copied to my host. This is cause the executible to have root:root on my host.

Is there a way to provide a user to the packageBin command? I think there is a way to query for the uid:gid of the active user and start docker containers so that the internal processes would run as those id's. Would this be something that we could open to a PR as a feature request?

@muuki88

[muuki88]

Hi @Reklund3

Thanks for your question. I must admit I have never used the graalvm feature myself (unfortunately 😢 ).

Based on the code, my understanding is that the process uses a docker image to build the native image in and then copies the result out to my target folder

That's partially correct. Only if you configure the containerBuildImage as described in GraalVM Native Image Plugin docs.

If you do

containerBuildImage := None

docker shouldn't be involved.

I believe that the root permissions are coming from the docker containers permissions that are being applied to the built executable before being copied to my host. This is cause the executible to have root:root on my host

That is possibly true. It may that you run the docker daemon as root thus the resulting output is also root? I mostly use docker for local development, but not in prod, but IIRC there are different permission strategies to run the docker daemon that also affects the generated output.

[Reklund3]

@muuki88, Thanks for the fast response!

I was discussing this with a coworker, and he brought up that we would be building the GraalVM executable inside the CI container that would have GraalVM installed in its base image and wouldn't be spinning up the docker image to build. Due to this I think the containerBuildImage := None would work to side step the root owner issue.

That said, do you see the addition of a UID/GID option for building in the container so that one could provide their local user. so that you are able to delete your target folders from the IDE rather than having to sudo rm -rf ./target from a terminal?

[muuki88]

Sure @Reklund3 . I'm happy for any pull request improving the dev experience ❤️