fix: add rootless support for Ubuntu container image

slauger · slauger · commit dbf958baedfb · 2026-04-03T00:14:44.000+02:00
Add the same rootless patches as the Alpine image:
- Patch openvoxserver-ca symlink_to_old_cadir and FileUtils.chown
- Patch foreground script restartcounter (touch+chmod instead of install --owner)
- Patch puppetserver USER check for non-root execution
- Add OpenShift random UID pattern (chgrp 0, chmod g=u, SGID)
- Set HOME explicitly for random UIDs
- Run as non-root user (USER 999:0)
diff --git a/openvoxserver/Containerfile b/openvoxserver/Containerfile
@@ -115,6 +115,41 @@ COPY conf.d/puppetserver.conf \
 
 COPY puppetdb.conf /var/tmp/puppet/
 
+# explicitly set HOME: random UIDs will cause HOME to be "/" generally
+ENV HOME=/opt/puppetlabs/server/data/puppetserver
+
+# Patch openvoxserver-ca to skip cadir symlink and chown (fails rootless)
+RUN find / -path '*/openvoxserver-ca-*/lib/puppetserver/ca/action/setup.rb' \
+         -exec sed -i '/Puppetserver::Ca::Utils::Config\.symlink_to_old_cadir/ s/^/# /' {} + 2>/dev/null \
+    ; find / -path '*/openvoxserver-ca-*/lib/puppetserver/ca/utils/file_system.rb' \
+         -exec sed -i 's/FileUtils\.chown/# FileUtils.chown/' {} + 2>/dev/null \
+    ; true
+
+# `install --owner/--group` in the foreground script requires CAP_CHOWN which
+# is not available in rootless containers. Replace with a simple touch + chmod.
+RUN sed -i 's|printf.*install -D --owner.*restartfile.*|touch "$restartfile" \&\& chmod 0644 "$restartfile"|' \
+  /opt/puppetlabs/server/apps/puppetserver/cli/apps/foreground
+
+# the foreground starting script has this check before running the server:
+# [ "$EUID" = "$(id -u ${USER})" ]
+# simply calling `id -u` results in the UID of the current user and the check will pass
+RUN sed -i 's/^ *USER="puppet"/USER=""/' /etc/default/puppetserver
+
+# mirror user permissions to group, set group to root, and set gid bit on dirs
+RUN for d in \
+    /etc/puppetlabs \
+    /var/log/puppetlabs \
+    /var/run/puppetlabs \
+    /opt/puppetlabs \
+  ; do \
+    mkdir -p "$d"; \
+    chgrp -R 0 "$d"; \
+    chmod -R g=u "$d"; \
+    find "$d" -type d -exec chmod g+s {} +; \
+  done
+
+USER ${OPENVOX_USER_UID}:0
+
 # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
 HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]
 
