Handle read-only trees in data dir cleanup

Go module cache sets files to 0444 and directories to 0555, causing
os.RemoveAll to fail with permission denied when cleaning the data
dir on next VM boot.

Replace the default removeAll with forceRemoveAll which retries after
making directories writable, matching how go clean -modcache works.

Author: JAORMX

options.go

@@ -94,7 +94,7 @@ func defaultConfig() *config {
 		preflight:   preflight.Default(),
 		imageCache:  image.NewCache(filepath.Join(dataDir, "cache")),
 		dataDir:     dataDir,
-		removeAll:   os.RemoveAll,
+		removeAll:   forceRemoveAll,
 		stat:        os.Stat,
 	}
 }

propolis.go

@@ -18,6 +18,7 @@ package propolis
 import (
 	"context"
 	"fmt"
+	"io/fs"
 	"log/slog"
 	"os"
 	"path/filepath"
@@ -258,6 +259,30 @@ func cleanDataDir(cfg *config) error {
 	return nil
 }
 
+// forceRemoveAll removes the given path, handling read-only directory trees
+// such as Go module caches (whose entries are set to 0444/0555). It first
+// attempts a plain os.RemoveAll; on failure it walks the tree making every
+// directory user-writable, then retries.
+func forceRemoveAll(path string) error {
+	err := os.RemoveAll(path)
+	if err == nil {
+		return nil
+	}
+
+	// Make every directory writable so entries can be unlinked.
+	_ = filepath.WalkDir(path, func(p string, d fs.DirEntry, walkErr error) error {
+		if walkErr != nil {
+			return nil // best-effort
+		}
+		if d.IsDir() {
+			_ = os.Chmod(p, 0o700)
+		}
+		return nil
+	})
+
+	return os.RemoveAll(path)
+}
+
 func cacheDir(cfg *config) string {
 	if cfg == nil || cfg.imageCache == nil {
 		return ""

propolis_test.go

@@ -245,6 +245,67 @@ func TestRun_WithCleanDataDir_RemovesStaleState(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestRun_WithCleanDataDir_ReadOnlyTree(t *testing.T) {
+	t.Parallel()
+
+	dataDir := t.TempDir()
+	rootfsDir := filepath.Join(dataDir, "rootfs")
+	require.NoError(t, os.MkdirAll(rootfsDir, 0o755))
+
+	// Simulate a Go module cache tree: read-only dirs and files.
+	modDir := filepath.Join(dataDir, "rootfs-work", "go", "pkg", "mod", "example.com@v1.0.0")
+	require.NoError(t, os.MkdirAll(modDir, 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(modDir, "README.md"), []byte("ro"), 0o444))
+	// Lock down directories to read+execute only, like Go module cache.
+	require.NoError(t, os.Chmod(modDir, 0o555))
+	require.NoError(t, os.Chmod(filepath.Dir(modDir), 0o555))
+
+	handle := &mockVMHandle{id: "ro-test", alive: true}
+	netProv := &mockNetProvider{sockPath: "/tmp/fake.sock"}
+
+	vm, err := Run(context.Background(), "test:latest",
+		WithDataDir(dataDir),
+		WithCleanDataDir(),
+		WithPreflightChecker(preflight.NewEmpty()),
+		WithRootFSPath(rootfsDir),
+		WithNetProvider(netProv),
+		WithBackend(&mockBackend{startHandle: handle}),
+	)
+	require.NoError(t, err)
+	require.NotNil(t, vm)
+
+	// The read-only tree should have been removed.
+	_, err = os.Stat(filepath.Join(dataDir, "rootfs-work"))
+	assert.True(t, os.IsNotExist(err))
+
+	// Rootfs (kept) should still exist.
+	_, err = os.Stat(rootfsDir)
+	require.NoError(t, err)
+}
+
+func TestForceRemoveAll(t *testing.T) {
+	t.Parallel()
+
+	t.Run("removes read-only tree", func(t *testing.T) {
+		t.Parallel()
+		dir := t.TempDir()
+		nested := filepath.Join(dir, "a", "b", "c")
+		require.NoError(t, os.MkdirAll(nested, 0o755))
+		require.NoError(t, os.WriteFile(filepath.Join(nested, "file.txt"), []byte("x"), 0o444))
+		require.NoError(t, os.Chmod(nested, 0o555))
+		require.NoError(t, os.Chmod(filepath.Dir(nested), 0o555))
+
+		require.NoError(t, forceRemoveAll(dir))
+		_, err := os.Stat(dir)
+		assert.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("no error on nonexistent path", func(t *testing.T) {
+		t.Parallel()
+		require.NoError(t, forceRemoveAll("/tmp/does-not-exist-propolis-test"))
+	})
+}
+
 func TestRun_Success(t *testing.T) {
 	t.Parallel()