taprpc+scripts: add comprehensive Podman support to build system

ffranr · ffranr · commit 48e3b198a61c · 2026-01-06T12:16:21.000Z
Detect Podman by checking "$DOCKER --version", allowing overrides via
the DOCKER environment variable. Retain "--user $UID:$(id -g)" for
Docker/CI to ensure generated files are user-owned. For Podman, switch
to "--user=0:0" to avoid EACCES errors caused by rootless subuid/subgid
remapping on bind mounts.

Changes:
- scripts/docker_helpers.sh: new shared helper for Docker/Podman
  detection and user argument selection
- scripts/gen_sqlc_docker.sh: source shared helper for container runtime
  detection; properly quote variables
- taprpc/gen_protos_docker.sh: source shared helper for container
  runtime detection; properly quote variables
- Makefile: add DOCKER variable and IS_PODMAN detection; update
  DOCKER_TOOLS, docker-release, and docker-tools targets to use
  configurable runtime
- make/release_flags.mk: add Podman detection with conditional user
  args for DOCKER_RELEASE_HELPER

Fixes "Permission denied" errors with rootless Podman, while preserving
existing Docker behavior.
diff --git a/Makefile b/Makefile
@@ -51,22 +51,26 @@ ifneq ($(workers),)
 LINT_WORKERS = --concurrency=$(workers)
 endif
 
+# Use docker by default; allow overrides and detect podman wrapper.
+DOCKER ?= docker
+IS_PODMAN := $(shell $(DOCKER) --version 2>/dev/null | grep -qi podman && echo 1 || echo 0)
+
 # Docker cache mounting strategy:
 # - CI (GitHub Actions): Use bind mounts to host paths that GA caches persist.
 # - Local: Use Docker named volumes (much faster on macOS/Windows due to
 #   avoiding slow host-syncing overhead).
 # Paths inside container must match GOCACHE/GOMODCACHE in tools/Dockerfile.
 ifdef CI
 # CI mode: bind mount to host paths that GitHub Actions caches.
-DOCKER_TOOLS = docker run \
+DOCKER_TOOLS = $(DOCKER) run \
   --rm \
   -v $${HOME}/.cache/go-build:/tmp/build/.cache \
   -v $${HOME}/go/pkg/mod:/tmp/build/.modcache \
   -v $${HOME}/.cache/golangci-lint:/root/.cache/golangci-lint \
   -v $$(pwd):/build taproot-assets-tools
 else
 # Local mode: Docker named volumes for fast macOS/Windows performance.
-DOCKER_TOOLS = docker run \
+DOCKER_TOOLS = $(DOCKER) run \
   --rm \
   -v tapd-go-build-cache:/tmp/build/.cache \
   -v tapd-go-mod-cache:/tmp/build/.modcache \
@@ -157,15 +161,15 @@ docker-release:
 	@$(call print, "Building release helper docker image.")
 	if [ "$(tag)" = "" ]; then echo "Must specify tag=<commit_or_tag>!"; exit 1; fi
 
-	docker build -t taproot-assets-release-helper -f make/builder.Dockerfile make/
+	$(DOCKER) build -t taproot-assets-release-helper -f make/builder.Dockerfile make/
 
 	# Run the actual compilation inside the docker image. We pass in all flags
 	# that we might want to overwrite in manual tests.
 	$(DOCKER_RELEASE_HELPER) make release tag="$(tag)" sys="$(sys)" COMMIT="$(COMMIT)"
 
 docker-tools:
 	@$(call print, "Building tools docker image.")
-	docker build -q -t taproot-assets-tools $(TOOLS_DIR)
+	$(DOCKER) build -q -t taproot-assets-tools $(TOOLS_DIR)
 
 scratch: build
 
diff --git a/make/release_flags.mk b/make/release_flags.mk
@@ -8,10 +8,22 @@ VERSION_TAG = $(tag)
 VERSION_CHECK = ./scripts/release.sh check-tag "$(VERSION_TAG)" "$(VERSION_GO_FILE)"
 endif
 
-DOCKER_RELEASE_HELPER = docker run \
+# Use docker by default; allow overrides and detect podman wrapper.
+DOCKER ?= docker
+IS_PODMAN_RELEASE := $(shell $(DOCKER) --version 2>/dev/null | grep -qi podman && echo 1 || echo 0)
+
+# For Podman rootless, use --user=0:0 to avoid permission issues.
+# For Docker, use current user to ensure generated files are user-owned.
+ifeq ($(IS_PODMAN_RELEASE),1)
+USER_ARGS = --user=0:0
+else
+USER_ARGS = --user $(shell id -u):$(shell id -g)
+endif
+
+DOCKER_RELEASE_HELPER = $(DOCKER) run \
   -it \
   --rm \
-  --user $(shell id -u):$(shell id -g) \
+  $(USER_ARGS) \
   -v $(shell pwd):/tmp/build/taproot-assets \
   -v $(shell bash -c "go env GOCACHE || (mkdir -p /tmp/go-cache; echo /tmp/go-cache)"):/tmp/build/.cache \
   -v $(shell bash -c "go env GOMODCACHE || (mkdir -p /tmp/go-modcache; echo /tmp/go-modcache)"):/tmp/build/.modcache \
diff --git a/scripts/docker_helpers.sh b/scripts/docker_helpers.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# docker_helpers.sh: Common Docker/Podman detection and configuration
+#
+# This script should be sourced by other scripts that need to run Docker or
+# Podman commands. It sets up the DOCKER variable and user_args array based
+# on whether Docker or Podman is being used.
+#
+# Usage:
+#   source scripts/docker_helpers.sh
+#   $DOCKER run "${user_args[@]}" ...
+
+# Use docker by default; allow overrides and detect podman wrapper.
+DOCKER=${DOCKER:-docker}
+user_args=(--user "$UID:$(id -g)")
+if "$DOCKER" --version 2>/dev/null | grep -qi podman; then
+	user_args=(--user=0:0)
+fi
diff --git a/scripts/gen_sqlc_docker.sh b/scripts/gen_sqlc_docker.sh
@@ -2,6 +2,12 @@
 
 set -e
 
+# Directory of the script file, independent of where it's called from.
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source Docker/Podman detection helper.
+source "$DIR/docker_helpers.sh"
+
 # restore_files is a function to restore original schema files.
 restore_files() {
 	echo "Restoring SQLite bigint patch..."
@@ -14,9 +20,6 @@ restore_files() {
 # are always restored.
 trap restore_files EXIT
 
-# Directory of the script file, independent of where it's called from.
-DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
 # Use the user's cache directories.
 GOCACHE=$(go env GOCACHE)
 GOMODCACHE=$(go env GOMODCACHE)
@@ -40,9 +43,9 @@ echo "Generating sql models and queries in go..."
 
 # Run the script to generate the new generated code. Once the script exits, we
 # use `trap` to make sure all files are restored.
-docker run \
+$DOCKER run \
 	--rm \
-	--user "$UID:$(id -g)" \
+	"${user_args[@]}" \
 	-e UID=$UID \
 	-v "$DIR/../:/build" \
 	-w /build \
diff --git a/taprpc/gen_protos_docker.sh b/taprpc/gen_protos_docker.sh
@@ -5,21 +5,24 @@ set -e
 # Directory of the script file, independent of where it's called from.
 DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
 
+# Source Docker/Podman detection helper.
+source "$DIR/../scripts/docker_helpers.sh"
+
 PROTOBUF_VERSION=$(go list -f '{{.Version}}' -m google.golang.org/protobuf)
 GRPC_GATEWAY_VERSION=$(go list -f '{{.Version}}' -m github.com/grpc-ecosystem/grpc-gateway/v2)
 LND_VERSION=$(go list -f '{{.Version}}' -m github.com/lightningnetwork/lnd)
 
 echo "Building protobuf compiler docker image..."
-docker build -t taproot-assets-protobuf-builder \
+$DOCKER build -t taproot-assets-protobuf-builder \
   --build-arg PROTOBUF_VERSION="$PROTOBUF_VERSION" \
   --build-arg GRPC_GATEWAY_VERSION="$GRPC_GATEWAY_VERSION" \
   --build-arg LND_VERSION="$LND_VERSION" \
   .
 
 echo "Compiling and formatting *.proto files..."
-docker run \
+$DOCKER run \
   --rm \
-  --user "$UID:$(id -g)" \
+  "${user_args[@]}" \
   -e UID=$UID \
   -e COMPILE_MOBILE \
   -e SUBSERVER_PREFIX \
