fix: gracefully handle missing CAP_CHOWN in rootless containers

Wrap all FileUtils.chown calls in a rescue Errno::EPERM block so that
openvoxserver-ca no longer crashes when running inside rootless
containers (e.g. podman rootless, OpenShift with arbitrary UIDs) where
the process lacks the CAP_CHOWN capability.

In these environments file ownership is typically managed through SGID
bits and g=u permission patterns instead of explicit chown calls.

Signed-off-by: Simon Lauger <simon@lauger.de>

Author: slauger

lib/puppetserver/ca/utils/file_system.rb

@@ -60,7 +60,11 @@ def self.forcibly_symlink(source, link_target)
           # Symlink permissions are ignored in favor of the source's permissions,
           # so we don't have to change those.
           source_info = File.stat(source)
-          FileUtils.chown(source_info.uid, source_info.gid, link_target)
+          begin
+            FileUtils.chown(source_info.uid, source_info.gid, link_target)
+          rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+            # In rootless containers the process may lack CAP_CHOWN.
+          end
         end
 
         def initialize
@@ -93,14 +97,22 @@ def write_file(path, one_or_more_objects, mode)
               f.puts object.to_s
             end
           end
-          FileUtils.chown(@user, @group, path)
+          begin
+            FileUtils.chown(@user, @group, path)
+          rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+            # In rootless containers the process may lack CAP_CHOWN.
+          end
         end
 
         # Warning: directory mode should be specified in DIR_MODES above
         def ensure_dir(directory)
           if !File.exist?(directory)
             FileUtils.mkdir_p(directory, mode: DIR_MODES[directory])
-            FileUtils.chown(@user, @group, directory)
+            begin
+              FileUtils.chown(@user, @group, directory)
+            rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+              # In rootless containers the process may lack CAP_CHOWN.
+            end
           end
         end
       end