Skip to content

fix: gracefully handle missing CAP_CHOWN in rootless containers#32

Open
slauger wants to merge 1 commit intoOpenVoxProject:mainfrom
slauger:fix/rootless-chown
Open

fix: gracefully handle missing CAP_CHOWN in rootless containers#32
slauger wants to merge 1 commit intoOpenVoxProject:mainfrom
slauger:fix/rootless-chown

Conversation

@slauger
Copy link
Copy Markdown
Member

@slauger slauger commented Apr 7, 2026
edited
Loading

Summary

  • Guards all three FileUtils.chown call sites in file_system.rb with the existing running_as_root? check so they are skipped in rootless containers
  • Affects forcibly_symlink, write_file, and ensure_dir
  • Adds unit tests for all three methods (root and non-root paths)
  • In rootless environments (podman rootless, OpenShift arbitrary UIDs) file ownership is typically handled by SGID bits and g=u permission patterns instead of explicit chown

This approach reuses the running_as_root? method that already exists in the class (used by find_user_and_group), keeping the logic consistent. Inspired by the approach in #30.

This eliminates the need for sed patches in container images (see OpenVoxProject/container-openvoxserver#123).

Test plan

  • Unit tests for forcibly_symlink, write_file, and ensure_dir (root and non-root paths)
  • Run puppetserver ca setup in a rootless podman container and verify it completes without error
  • Run puppetserver ca setup as root and verify ownership is still set correctly

Ref: OpenVoxProject/container-openvoxserver#123

@slauger slauger force-pushed the fix/rootless-chown branch from a41ca66 to 5bce4cf Compare April 7, 2026 14:04
@sebastianrakel
Copy link
Copy Markdown

sebastianrakel commented Apr 7, 2026

This appears to be a quick fix that could introduce unintended consequences. Perhaps we should implement your alternative approach and make it configurable via an environment variable instead.

@bastelfreak
Copy link
Copy Markdown
Contributor

bastelfreak commented Apr 9, 2026

In OpenVoxProject/openvox#362 we had a similar fix. There's already an option to skip permission management in openvox. We could check if it's set to false and then skip the chown.

@slauger slauger closed this Apr 10, 2026
@slauger slauger force-pushed the fix/rootless-chown branch from 5bce4cf to c53628d Compare April 10, 2026 09:27
@slauger slauger reopened this Apr 10, 2026
@slauger slauger mentioned this pull request Apr 10, 2026
Open
@slauger
Copy link
Copy Markdown
Member Author

slauger commented Apr 10, 2026
edited
Loading

Replaced the previous rescue Errno::EPERM approach with the running_as_root? guard from #30 - it's cleaner and consistent with how find_user_and_group already handles this. Extended the guard to cover all three FileUtils.chown call sites (forcibly_symlink, write_file, ensure_dir) and added unit tests.

@slauger
fix: skip chown when not running as root in rootless containers
474eccd 
Guard all three FileUtils.chown call sites in file_system.rb with the
existing running_as_root? check so that openvoxserver-ca no longer
crashes when running inside rootless containers (e.g. podman rootless,
OpenShift with arbitrary UIDs) where the process lacks CAP_CHOWN.

Affected methods: forcibly_symlink, write_file, ensure_dir.

In these environments file ownership is typically managed through SGID
bits and g=u permission patterns instead of explicit chown calls.

Inspired by the approach in OpenVoxProject#30.

Signed-off-by: Simon Lauger <simon@lauger.de>
@slauger slauger force-pushed the fix/rootless-chown branch from 5021079 to 474eccd Compare April 10, 2026 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slauger @sebastianrakel @bastelfreak