Permissions issues when running/building as non-root user

[jaronsummers]

Hello!

As expected, RPM does not like running as non-root, because it mangles a lot of the permissions in the archives.

However, I'm also seeing a related-but-separate issue wherein the permissions on / get set to 0700, making the container unusable for non-root users.

I fixed it by adding subprocess.check_call(["chmod", "0755", dirpath]) at the end of the archive generation process, which seems like it should always be correct because 0755 is the expected mode for /, but I imagine there are edge-cases I am not thinking of.

Are you still maintaining this repo? Are you open to PRs?

There are also some other issues related to the resulting image having incorrect ctime (epoch time 0) that I might look into.

Lastly, do you have any thoughts on how to ensure that the file ownership inside the image layer is correct? I made some very basic attempts at wrapping the cpio commands with fakeroot, but nothing that bore fruit.

[rmohr]

Hi, sorry for the very late reply. Yes. I am maintaining it and we are actively using it. Happy to look at any pr.

[rmohr]

What we do in kubevirt, is building everything in a build container with podman or docker to have everything right. Podman has the advantage of using user namespaces, which means that it is at least secure to build with 'root'.

[rmohr]

I am currently working on an improvement where the files are directly written into tar archives and never extracted to disk. That should in theory keep everything 100% in sync.