Rootless Integration tests in Debian fail with "Lchown failed: operation not permitted".

[siretart]

Issue Description

This is triggered by the specific way Debian's autopkgtest framework sets up the sources. To illustrate, I was able to workaround this with this patch:

---
 test/e2e/common_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 61fed90..6d938cf 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -1490,7 +1490,7 @@ func CopyDirectory(srcDir, dest string) error {
 		}
 
 		if err := os.Lchown(destPath, int(stat.Uid), int(stat.Gid)); err != nil {
-			return err
+			GinkgoWriter.Printf("Warning: Failed to chown %s to uid=%d, gid=%d: %v\n", destPath, int(stat.Uid), int(stat.Gid), err)
 		}
 
 		fInfo, err := entry.Info()

Now I'm getting this output in the log:

  > Enter [It] [email protected] - /tmp/autopkgtest.lL1okL/build.rYm/real-tree/_build/src/github.com/containers/podman/test/e2e/quadlet_test.go:921 @ 12/06/24 15:12:56.818
  Warning: Failed to chown /tmp/podman-e2e-2554937726/subtest-376925938/quadlet/[email protected]/10-env.conf to uid=1000, gid=0: lchown /tmp/podman-e2e-2554937726/subtest-376925938/quadlet/[email protected]/10-env.conf: operation not permitted
  Running: /usr/libexec/podman/quadlet --user --no-kmsg-log /tmp/podman-e2e-2554937726/subtest-376925938/generated with QUADLET_UNIT_DIRS=/tmp/podman-e2e-2554937726/subtest-376925938/quadlet
  < Exit [It] [email protected] - /tmp/autopkgtest.lL1okL/build.rYm/real-tree/_build/src/github.com/containers/podman/test/e2e/quadlet_test.go:921 @ 12/06/24 15:12:56.831 (12ms)

Apparently this is because the sources are installed into the build environment with uid=1000 but gid=0, and the copy operation is failing at setting the gid.

Is that chown really necessary?

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[siretart]

cc: @Luap99

[Luap99]

It may not be necessary for the purpose of the test. It looks like this function is only used by quadlet tests so we should be able to change it without worrying about effecting other tests.

Given quadlet only reads the source files it doesn't need any particular permissions as long as the test user can read the files.

Apparently this is because the sources are installed into the build environment with uid=1000 but gid=0, and the copy operation is failing at setting the gid.

Any reason you cannot chown to $UID:$GID for the entire source tree? That is what we are doing in CI.

[siretart]

Apparently this is because the sources are installed into the build environment with uid=1000 but gid=0, and the copy operation is >> failing at setting the gid.

Any reason you cannot chown to $UID:$GID for the entire source tree? That is what we are doing in CI.

Interesting.

To be frank, I haven't seriously considered that, but I am a bit pessimistic that this is a good idea. Let me think a bit more where exactly to implement this.