Set fixed Docker GID to avoid collisions with some groups #523
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
myoung34
requested changes
Nov 24, 2025
build/tools.sh
Outdated
| rm -rf /tmp/lfs.tar.gz "/tmp/git-lfs-${GIT_LFS_VERSION}" | ||
| } | ||
|
|
||
| function configure_docker_group_id() { |
Owner
There was a problem hiding this comment.
This should go around here instead, no need to make it a function, just do groupadd -g "$(docker_group_id)" docker || :
Contributor
Author
There was a problem hiding this comment.
Thanks for the suggestion! Moving it to here, unfortunately, doesn't work. The Docker packages automatically create the docker group with GID 999 during install_tools_apt. We need to create it with GID 500 beforehand to prevent this.
getent group docker
docker:x:999:runner
groupadd -g 500 docker || :
groupadd: group 'docker' already exists
Owner
There was a problem hiding this comment.
You can add it after
just before install_tools_apt and install_tools so that it exists before those run, just add a comment above such as# The docker group needs to run before installers or similar
myoung34
approved these changes
Nov 24, 2025
myoung34
requested changes
Nov 24, 2025
Owner
myoung34
left a comment
myoung34
left a comment
There was a problem hiding this comment.
Last nit, if you'll modify
to havegroup:
runner:
exists: true
gid: 121
docker:
exists: true
gid: 500
then the tests will verify that the group change works as expected
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Stabilise Docker GID to Prevent Conflicts With Base System Services
This PR resolves an issue where the Docker group GID changes unpredictably between image builds. This instability causes failures in Docker-related operations, especially when using the image in containerised GitHub Actions workflows (runs_on: container).
Across recent GitHub Actions Runner image releases (e.g., 2.328.0 to 2.330.0), the GID assigned to the docker group has been inconsistent, landing somewhere in the 990–999 range.
Example
This GID drift breaks downstream images, the underlying cause is that several system services installed before Docker create groups that occupy the upper-range GIDs first. As a result, by the time the Docker package installs, the expected GID is already taken.
Common conflicting system groups include:
To prevent future collisions, the PR pre-creates the docker group before any Docker-related installation occurs, assigning it a fixed, safe GID.
Docker group GID is now fixed at 500.
Looking forward to hearing your feedback.