From 212c7fcbd93ba81eefe668a238ee39de363b71e3 Mon Sep 17 00:00:00 2001 From: Miguel Angel Ajo Pelayo Date: Tue, 23 Jun 2026 09:31:43 +0000 Subject: [PATCH] fix(controller): fix Containerfile build with rootless Podman Rootless Podman's overlay filesystem changes the working directory ownership to root:root after multiple COPY instructions, even when the base image (ubi10/go-toolset) runs as UID 1001. This causes 'go build -o manager' to fail with 'permission denied' because the non-root build user can no longer write to the working directory. Fix by: - Using a dedicated /build directory with explicitly set ownership (chown 1001:0) instead of the base image's /opt/app-root/src/ - Adding --chown=1001:0 to all COPY instructions to prevent file ownership from reverting to root - Updating the final stage COPY to reference /build/ paths --- controller/Containerfile | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/controller/Containerfile b/controller/Containerfile index ea95768a7..4297c619a 100644 --- a/controller/Containerfile +++ b/controller/Containerfile @@ -6,9 +6,17 @@ ARG GIT_VERSION=unknown ARG GIT_COMMIT=unknown ARG BUILD_DATE=unknown +# Create a build directory owned by the build user (1001:0). +# This avoids permission issues with rootless Podman where COPY +# changes the working directory ownership to root. +WORKDIR /build +USER 0 +RUN chown 1001:0 /build +USER 1001 + # Copy the Go Modules manifests -COPY go.mod go.mod -COPY go.sum go.sum +COPY --chown=1001:0 go.mod go.mod +COPY --chown=1001:0 go.sum go.sum # cache deps before building and copying source so that we don't need to re-download as much # and so that source changes don't invalidate our downloaded layer # Cache module downloads across builds @@ -17,9 +25,9 @@ RUN --mount=type=cache,target=/opt/app-root/src/go/pkg/mod,sharing=locked,uid=10 go mod download # Copy the go source -COPY cmd/ cmd/ -COPY api/ api/ -COPY internal/ internal/ +COPY --chown=1001:0 cmd/ cmd/ +COPY --chown=1001:0 api/ api/ +COPY --chown=1001:0 internal/ internal/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command @@ -41,8 +49,8 @@ RUN --mount=type=cache,target=/opt/app-root/src/go/pkg/mod,sharing=locked,uid=1 FROM registry.access.redhat.com/ubi9/ubi-micro:9.8-1779858820@sha256:b498b3ea26111ab4b81d65139f2ebd2ef9a2abb7a4588b7fdcc54889f95e9caa WORKDIR / -COPY --from=builder /opt/app-root/src/manager . -COPY --from=builder /opt/app-root/src/router . +COPY --from=builder /build/manager . +COPY --from=builder /build/router . USER 65532:65532 ENTRYPOINT ["/manager"]