Skip to content

build: allow overriding docker UID for rootless environments#862

Open
Suraj-kumar00 wants to merge 1 commit intoDasharo:dasharofrom
Suraj-kumar00:fix/rootless-docker-uid
Open

build: allow overriding docker UID for rootless environments#862
Suraj-kumar00 wants to merge 1 commit intoDasharo:dasharofrom
Suraj-kumar00:fix/rootless-docker-uid

Conversation

@Suraj-kumar00
Copy link
Copy Markdown

@Suraj-kumar00 Suraj-kumar00 commented Mar 15, 2026

Description

This PR enables building the coreboot firmware using a rootless Docker setup, fixing Dasharo/dasharo-issues#1197.

Currently, build.sh uses -u $UID for the docker run commands. In a rootless Docker setup, mapping the host's UID into the container causes user-namespace conflict errors. Because $UID is a read-only variable in Bash, it cannot be overridden safely from the command line.

This introduces a DOCKER_UID environment variable that falls back to $UID. Developers using rootless setups can now reproduce builds by running:

DOCKER_UID=root ./build.sh qemu

Because of rootless Docker user namespaces, the container will run as root internally and bypass the permission constraint. The final .rom output file will still be safely owned by the host's standard user.

Testing

  • Standard Docker (Regression Test):

    BUILD_TIMELESS=1 EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

    Builds successfully.

  • Rootless Docker:

    BUILD_TIMELESS=1 DOCKER_UID=root EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

    Successfully completes the build.

  • Verification:
    The SHA256 hashes of the resulting ec.rom files match perfectly between both build environments, confirming reproducible builds without permission errors.

@philipanda
Copy link
Copy Markdown
Contributor

philipanda commented Mar 24, 2026

Looks like you've copied most of the PR comment from the EC comment. The Test does not really make sense here.

I've tested that myself on a rootless docker installation.
The build does succeed without issues when we set the DOCKER_UID on your revision.
The SHA is not the same though.
The sha256sum I get on your change (e2e8d5a):

  • 5c577cd52dc17c571ac498d51d5cfccd65a1e3130b1164830d28187e09960087.

The hash on the commit prior (5db5cf9) (built on a rootful docker installation):

  • a8bb3f34875f8c564dbabb8b805d97062c7ddbef63384a6e9159a37891458636

We can check what has changed in the binary using romscope.
The reports I got show quite a lot of changes different than revision or timestamps.
Could you help with interpreting them @mkopec?
report.zip
You can try to run the same checks yourself too @Suraj-kumar00

Test procedure

  1. On a fresh Ubuntu 22.04 machine, as a non-root user Install rootless Docker
curl -fsSL https://get.docker.com/rootless | sh
export PATH=$HOME/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
  1. Verify it's truly rootless
docker info | grep -i rootless
  1. Setup repo
git clone https://github.com/dasharo/coreboot.git && cd coreboot
git remote add suraj https://github.com/Suraj-kumar00/coreboot.git
  1. Test if it fails on rootless
./build.sh qemu
  1. Test if fix works
git checkout suraj fix/rootless-docker-uid
./build.sh qemu
  1. Build without fix and compare SHA256
sha256sum qemu_q35_v0.2.1-rc1.rom
git checkout suraj fix/rootless-docker-uid~1
./build.sh qemu
sha256sum qemu_q35_v0.2.1-rc1.rom

@philipanda philipanda mentioned this pull request Mar 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Suraj-kumar00 @philipanda