Skip to content

fix(docker): passwordless sudo for the non-root vp user#2088

Merged
graphite-app[bot] merged 1 commit into
mainfrom
docker-nonroot-sudo
Jul 9, 2026
Merged

fix(docker): passwordless sudo for the non-root vp user#2088
graphite-app[bot] merged 1 commit into
mainfrom
docker-nonroot-sudo

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jul 7, 2026

Copy link
Copy Markdown
Member

The toolchain image runs as the non-root vp user but shipped no sudo, so
playwright install --with-deps (Vitest browser mode) and any apt-get during
build or CI failed. When not already root, Playwright installs system libraries
via sudo if present and otherwise falls back to su root, which has no
password in the image, producing su: Authentication failure (the error in the
issue).

Change

Add sudo plus a NOPASSWD sudoers entry for vp. The image keeps its non-root
default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while
build, CI, and dev steps can reach root on demand. This matches the devcontainer
base images (non-root user + passwordless sudo) rather than flipping the whole
image to root. Docs get the model plus a Vitest browser-mode CI recipe.

Validation

Built a container from the changed layer and confirmed in one run: default user
is non-root vp (uid 1000); which sudo succeeds (so Playwright takes the sudo
branch); sudo -n true and the literal sudo -- sh -c 'apt-get ...' escalation
both work passwordlessly; and the no-sudo negative control reproduces the issue
error verbatim (su: Authentication failure).

Closes #2087

@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 5f293a1
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a4f08576f3d1d00086b843c

fengmk2 commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

How to use the Graphite Merge Queue

Add the label auto-merge to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@fengmk2 fengmk2 added the preview-build Publish this PR's commits to the registry bridge as preview builds label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ Staging deployment successful!

Preview: https://viteplus-staging.void.app/
Commit: 5f293a1

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Registry bridge build (7f34427)

This commit build is published to the registry bridge, which serves these as ordinary npm versions (every other package proxies to npmjs):

Package Version
vite-plus 0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4
@voidzero-dev/vite-plus-core 0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4

Install the Vite+ CLI built from this commit, then migrate a project:

# macOS / Linux
curl -fsSL https://vite.plus | VP_PR_VERSION=2088 bash
# Windows (PowerShell)
$env:VP_PR_VERSION="2088"; irm https://vite.plus/ps1 | iex

After installing, upgrade the current project's vite-plus to this test build with:

vp migrate

Or point your package manager at the bridge registry https://registry-bridge.viteplus.dev/:

Package manager Registry config
npm / pnpm / Bun .npmrc: registry=https://registry-bridge.viteplus.dev/
Yarn (v2+) .yarnrc.yml: npmRegistryServer: "https://registry-bridge.viteplus.dev/"

Then pin the build (vite aliases to vite-plus-core; pnpm can use a catalog, npm an overrides entry):

{
  "devDependencies": {
    "vite-plus": "0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4",
    "vite": "npm:@voidzero-dev/vite-plus-core@0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4"
  }
}

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🐳 Docker preview image

Built from this PR's registry bridge build:

Image Compressed size
ghcr.io/voidzero-dev/vite-plus:pr-2088 241MB
# remove any stale local copy from a previous run, then pull fresh
docker rmi ghcr.io/voidzero-dev/vite-plus:pr-2088 2>/dev/null; docker pull ghcr.io/voidzero-dev/vite-plus:pr-2088

Quick check:

docker run --rm ghcr.io/voidzero-dev/vite-plus:pr-2088 vp --version

See docs/guide/docker.md for usage.

@fengmk2

fengmk2 commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c8583b944b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread docs/guide/docker.md Outdated
@fengmk2

fengmk2 commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Breezy!

Reviewed commit: a269384d4e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@fengmk2 fengmk2 force-pushed the docker-nonroot-sudo branch from a269384 to 597714e Compare July 8, 2026 15:04
@fengmk2 fengmk2 marked this pull request as ready for review July 8, 2026 15:04
@fengmk2 fengmk2 self-assigned this Jul 8, 2026
@fengmk2 fengmk2 requested review from Brooooooklyn and wan9chi July 8, 2026 15:15
@fengmk2 fengmk2 force-pushed the docker-nonroot-sudo branch from f8f9ca2 to 6274ee2 Compare July 8, 2026 16:23
@fengmk2 fengmk2 requested a review from cpojer July 9, 2026 00:56
@graphite-app

graphite-app Bot commented Jul 9, 2026

Copy link
Copy Markdown

Merge activity

  • Jul 9, 12:57 AM UTC: fengmk2 added this pull request to the Graphite merge queue.
  • Jul 9, 1:10 AM UTC: The Graphite merge queue couldn't merge this PR because it was not satisfying all requirements (Failed CI: 'done', 'CLI snapshot test (x86_64-unknown-linux-gnu)', 'CLI snapshot test (aarch64-apple-darwin)', 'CLI snapshot test (Windows)').
  • Jul 9, 2:32 AM UTC: fengmk2 added this pull request to the Graphite merge queue.
  • Jul 9, 2:41 AM UTC: Merged by the Graphite merge queue.

graphite-app Bot pushed a commit that referenced this pull request Jul 9, 2026
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so
`playwright install --with-deps` (Vitest browser mode) and any `apt-get` during
build or CI failed. When not already root, Playwright installs system libraries
via `sudo` if present and otherwise falls back to `su root`, which has no
password in the image, producing `su: Authentication failure` (the error in the
issue).

## Change

Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root
default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while
build, CI, and dev steps can reach root on demand. This matches the devcontainer
base images (non-root user + passwordless sudo) rather than flipping the whole
image to root. Docs get the model plus a Vitest browser-mode CI recipe.

## Validation

Built a container from the changed layer and confirmed in one run: default user
is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo
branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation
both work passwordlessly; and the no-sudo negative control reproduces the issue
error verbatim (`su: Authentication failure`).

Closes #2087
@graphite-app graphite-app Bot force-pushed the docker-nonroot-sudo branch from 6274ee2 to 6f512e6 Compare July 9, 2026 00:58
fengmk2 added a commit that referenced this pull request Jul 9, 2026
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so
`playwright install --with-deps` (Vitest browser mode) and any `apt-get` during
build or CI failed. When not already root, Playwright installs system libraries
via `sudo` if present and otherwise falls back to `su root`, which has no
password in the image, producing `su: Authentication failure` (the error in the
issue).

## Change

Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root
default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while
build, CI, and dev steps can reach root on demand. This matches the devcontainer
base images (non-root user + passwordless sudo) rather than flipping the whole
image to root. Docs get the model plus a Vitest browser-mode CI recipe.

## Validation

Built a container from the changed layer and confirmed in one run: default user
is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo
branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation
both work passwordlessly; and the no-sudo negative control reproduces the issue
error verbatim (`su: Authentication failure`).

Closes #2087
@fengmk2 fengmk2 force-pushed the docker-nonroot-sudo branch from 6f512e6 to bb662c9 Compare July 9, 2026 02:06
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so
`playwright install --with-deps` (Vitest browser mode) and any `apt-get` during
build or CI failed. When not already root, Playwright installs system libraries
via `sudo` if present and otherwise falls back to `su root`, which has no
password in the image, producing `su: Authentication failure` (the error in the
issue).

## Change

Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root
default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while
build, CI, and dev steps can reach root on demand. This matches the devcontainer
base images (non-root user + passwordless sudo) rather than flipping the whole
image to root. Docs get the model plus a Vitest browser-mode CI recipe.

## Validation

Built a container from the changed layer and confirmed in one run: default user
is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo
branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation
both work passwordlessly; and the no-sudo negative control reproduces the issue
error verbatim (`su: Authentication failure`).

Closes #2087
@graphite-app graphite-app Bot force-pushed the docker-nonroot-sudo branch from 1c82d95 to 5f293a1 Compare July 9, 2026 02:32
@graphite-app graphite-app Bot merged commit 5f293a1 into main Jul 9, 2026
54 checks passed
@graphite-app graphite-app Bot deleted the docker-nonroot-sudo branch July 9, 2026 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

preview-build Publish this PR's commits to the registry bridge as preview builds

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Docker image to restrictive for vitest browser mode

2 participants