fix(docker): passwordless sudo for the non-root vp user#2088
Conversation
✅ Deploy Preview for viteplus-preview canceled.
|
How to use the Graphite Merge QueueAdd the label auto-merge to this PR to add it to the merge queue. You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
|
✅ Staging deployment successful! Preview: https://viteplus-staging.void.app/ |
Registry bridge build (
|
| Package | Version |
|---|---|
vite-plus |
0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4 |
@voidzero-dev/vite-plus-core |
0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4 |
Install the Vite+ CLI built from this commit, then migrate a project:
# macOS / Linux
curl -fsSL https://vite.plus | VP_PR_VERSION=2088 bash# Windows (PowerShell)
$env:VP_PR_VERSION="2088"; irm https://vite.plus/ps1 | iexAfter installing, upgrade the current project's vite-plus to this test build with:
vp migrateOr point your package manager at the bridge registry https://registry-bridge.viteplus.dev/:
| Package manager | Registry config |
|---|---|
| npm / pnpm / Bun | .npmrc: registry=https://registry-bridge.viteplus.dev/ |
| Yarn (v2+) | .yarnrc.yml: npmRegistryServer: "https://registry-bridge.viteplus.dev/" |
Then pin the build (vite aliases to vite-plus-core; pnpm can use a catalog, npm an overrides entry):
{
"devDependencies": {
"vite-plus": "0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4",
"vite": "npm:@voidzero-dev/vite-plus-core@0.0.0-commit.7f344277062f835a64e16f1eb10badc49c736bc4"
}
}
🐳 Docker preview imageBuilt from this PR's registry bridge build:
# remove any stale local copy from a previous run, then pull fresh
docker rmi ghcr.io/voidzero-dev/vite-plus:pr-2088 2>/dev/null; docker pull ghcr.io/voidzero-dev/vite-plus:pr-2088Quick check: docker run --rm ghcr.io/voidzero-dev/vite-plus:pr-2088 vp --versionSee docs/guide/docker.md for usage. |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c8583b944b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. Breezy! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
a269384 to
597714e
Compare
f8f9ca2 to
6274ee2
Compare
Merge activity
|
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so `playwright install --with-deps` (Vitest browser mode) and any `apt-get` during build or CI failed. When not already root, Playwright installs system libraries via `sudo` if present and otherwise falls back to `su root`, which has no password in the image, producing `su: Authentication failure` (the error in the issue). ## Change Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while build, CI, and dev steps can reach root on demand. This matches the devcontainer base images (non-root user + passwordless sudo) rather than flipping the whole image to root. Docs get the model plus a Vitest browser-mode CI recipe. ## Validation Built a container from the changed layer and confirmed in one run: default user is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation both work passwordlessly; and the no-sudo negative control reproduces the issue error verbatim (`su: Authentication failure`). Closes #2087
6274ee2 to
6f512e6
Compare
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so `playwright install --with-deps` (Vitest browser mode) and any `apt-get` during build or CI failed. When not already root, Playwright installs system libraries via `sudo` if present and otherwise falls back to `su root`, which has no password in the image, producing `su: Authentication failure` (the error in the issue). ## Change Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while build, CI, and dev steps can reach root on demand. This matches the devcontainer base images (non-root user + passwordless sudo) rather than flipping the whole image to root. Docs get the model plus a Vitest browser-mode CI recipe. ## Validation Built a container from the changed layer and confirmed in one run: default user is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation both work passwordlessly; and the no-sudo negative control reproduces the issue error verbatim (`su: Authentication failure`). Closes #2087
6f512e6 to
bb662c9
Compare
The toolchain image runs as the non-root `vp` user but shipped no `sudo`, so `playwright install --with-deps` (Vitest browser mode) and any `apt-get` during build or CI failed. When not already root, Playwright installs system libraries via `sudo` if present and otherwise falls back to `su root`, which has no password in the image, producing `su: Authentication failure` (the error in the issue). ## Change Add `sudo` plus a NOPASSWD sudoers entry for `vp`. The image keeps its non-root default (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while build, CI, and dev steps can reach root on demand. This matches the devcontainer base images (non-root user + passwordless sudo) rather than flipping the whole image to root. Docs get the model plus a Vitest browser-mode CI recipe. ## Validation Built a container from the changed layer and confirmed in one run: default user is non-root `vp` (uid 1000); `which sudo` succeeds (so Playwright takes the sudo branch); `sudo -n true` and the literal `sudo -- sh -c 'apt-get ...'` escalation both work passwordlessly; and the no-sudo negative control reproduces the issue error verbatim (`su: Authentication failure`). Closes #2087
1c82d95 to
5f293a1
Compare

The toolchain image runs as the non-root
vpuser but shipped nosudo, soplaywright install --with-deps(Vitest browser mode) and anyapt-getduringbuild or CI failed. When not already root, Playwright installs system libraries
via
sudoif present and otherwise falls back tosu root, which has nopassword in the image, producing
su: Authentication failure(the error in theissue).
Change
Add
sudoplus a NOPASSWD sudoers entry forvp. The image keeps its non-rootdefault (bind-mounted files stay uid 1000, Chromium keeps its sandbox) while
build, CI, and dev steps can reach root on demand. This matches the devcontainer
base images (non-root user + passwordless sudo) rather than flipping the whole
image to root. Docs get the model plus a Vitest browser-mode CI recipe.
Validation
Built a container from the changed layer and confirmed in one run: default user
is non-root
vp(uid 1000);which sudosucceeds (so Playwright takes the sudobranch);
sudo -n trueand the literalsudo -- sh -c 'apt-get ...'escalationboth work passwordlessly; and the no-sudo negative control reproduces the issue
error verbatim (
su: Authentication failure).Closes #2087