Skip to content

fix(controller): fix Containerfile build with rootless Podman#822

Merged
raballew merged 1 commit into
mainfrom
fix/containerfile-rootless-podman
Jun 23, 2026
Merged

fix(controller): fix Containerfile build with rootless Podman#822
raballew merged 1 commit into
mainfrom
fix/containerfile-rootless-podman

Conversation

@mangelajo

Copy link
Copy Markdown
Member

Problem

The controller Containerfile fails to build with rootless Podman:

go build command-line-arguments: copying /tmp/go-build.../exe/a.out: open manager: permission denied

This breaks make e2e-setup (and any local development using rootless Podman).

Root Cause

The ubi10/go-toolset:1.26.3 base image runs as UID 1001 (default) with the working directory /opt/app-root/src/ owned by default:root.

With rootless Podman, multiple COPY instructions change the working directory ownership in the overlay filesystem to root:root. After several COPY layers, UID 1001 can no longer create new files in the directory, causing go build -o manager to fail with "permission denied".

This does not affect Docker builds (which run as root by default) but breaks rootless Podman environments.

Fix

  • Use a dedicated /build directory with explicitly set ownership (chown 1001:0) instead of relying on the base image's /opt/app-root/src/
  • Add --chown=1001:0 to all COPY instructions to prevent file ownership from reverting to root
  • Update the final stage COPY --from=builder paths to reference /build/

Testing

Verified the fix builds successfully with rootless Podman:

podman build --no-cache -t quay.io/jumpstarter-dev/jumpstarter-controller:latest \
  -f controller/Containerfile controller/
# Successfully tagged quay.io/jumpstarter-dev/jumpstarter-controller:latest

Rootless Podman's overlay filesystem changes the working directory
ownership to root:root after multiple COPY instructions, even when
the base image (ubi10/go-toolset) runs as UID 1001. This causes
'go build -o manager' to fail with 'permission denied' because the
non-root build user can no longer write to the working directory.

Fix by:
- Using a dedicated /build directory with explicitly set ownership
  (chown 1001:0) instead of the base image's /opt/app-root/src/
- Adding --chown=1001:0 to all COPY instructions to prevent file
  ownership from reverting to root
- Updating the final stage COPY to reference /build/ paths
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4b648941-19ed-439b-9efd-137587d00e66

📥 Commits

Reviewing files that changed from the base of the PR and between a3bcb14 and 212c7fc.

📒 Files selected for processing (1)
  • controller/Containerfile

📝 Walkthrough

Walkthrough

The controller/Containerfile builder stage is updated to use a /build work directory explicitly owned by 1001:0, with USER 0 temporarily used to set ownership. All COPY instructions in the builder stage now include --chown=1001:0. The final runtime stage copies manager and router binaries from /build/ instead of /opt/app-root/src/.

Changes

Controller Containerfile rootless build fix

Layer / File(s) Summary
Builder WORKDIR ownership and final artifact paths
controller/Containerfile
Adds /build WORKDIR creation under USER 0 with chown 1001:0, reverts to USER 1001, adds --chown=1001:0 to all source COPY instructions (go.mod, go.sum, cmd/, api/, internal/), and updates final stage COPY --from=builder paths from /opt/app-root/src/ to /build/ for both manager and router binaries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit digs a /build burrow with care,
Owning each file with 1001:0 flair,
No rootless woe, no permission denied,
The manager and router hop out with pride,
From /build/ they leap — the path set right! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main fix: addressing a Containerfile build failure with rootless Podman, which is the primary objective of the changeset.
Description check ✅ Passed The description is well-detailed and directly related to the changeset, explaining the problem, root cause, fix, and testing verification for the Containerfile changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/containerfile-rootless-podman

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mangelajo mangelajo added this to the 0.9.0 milestone Jun 23, 2026
@raballew raballew enabled auto-merge (squash) June 23, 2026 12:24
@raballew raballew merged commit c7c0ec9 into main Jun 23, 2026
33 of 47 checks passed
@raballew raballew deleted the fix/containerfile-rootless-podman branch June 23, 2026 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants