fix(controller): fix Containerfile build with rootless Podman#822
Conversation
Rootless Podman's overlay filesystem changes the working directory ownership to root:root after multiple COPY instructions, even when the base image (ubi10/go-toolset) runs as UID 1001. This causes 'go build -o manager' to fail with 'permission denied' because the non-root build user can no longer write to the working directory. Fix by: - Using a dedicated /build directory with explicitly set ownership (chown 1001:0) instead of the base image's /opt/app-root/src/ - Adding --chown=1001:0 to all COPY instructions to prevent file ownership from reverting to root - Updating the final stage COPY to reference /build/ paths
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe ChangesController Containerfile rootless build fix
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Problem
The controller Containerfile fails to build with rootless Podman:
This breaks
make e2e-setup(and any local development using rootless Podman).Root Cause
The
ubi10/go-toolset:1.26.3base image runs as UID 1001 (default) with the working directory/opt/app-root/src/owned bydefault:root.With rootless Podman, multiple
COPYinstructions change the working directory ownership in the overlay filesystem toroot:root. After several COPY layers, UID 1001 can no longer create new files in the directory, causinggo build -o managerto fail with "permission denied".This does not affect Docker builds (which run as root by default) but breaks rootless Podman environments.
Fix
/builddirectory with explicitly set ownership (chown 1001:0) instead of relying on the base image's/opt/app-root/src/--chown=1001:0to allCOPYinstructions to prevent file ownership from reverting to rootCOPY --from=builderpaths to reference/build/Testing
Verified the fix builds successfully with rootless Podman: