fix: if not running as root, don't attempt chown#30
Open
dotconfig404 wants to merge 1 commit intoOpenVoxProject:mainfrom
Open
fix: if not running as root, don't attempt chown#30dotconfig404 wants to merge 1 commit intoOpenVoxProject:mainfrom
dotconfig404 wants to merge 1 commit intoOpenVoxProject:mainfrom
Conversation
bastelfreak
reviewed
Apr 9, 2026
|
|
||
| # Ensure the symlink has the same ownership as the source when running | ||
| # with privileges to change ownership. | ||
| if instance.running_as_root? |
Contributor
There was a problem hiding this comment.
Is this really only called when using the CLI? I didn't dig through the code yet, but I thought starting the openvoxserver also creates the symlink. And the process starts as user puppet, not root. But maybe I am wrong, the the symlink is created by different code.
Contributor
slauger
added a commit
to slauger/openvoxserver-ca
that referenced
this pull request
Apr 10, 2026
Guard all three FileUtils.chown call sites in file_system.rb with the existing running_as_root? check so that openvoxserver-ca no longer crashes when running inside rootless containers (e.g. podman rootless, OpenShift with arbitrary UIDs) where the process lacks CAP_CHOWN. Affected methods: forcibly_symlink, write_file, ensure_dir. In these environments file ownership is typically managed through SGID bits and g=u permission patterns instead of explicit chown calls. Inspired by the approach in OpenVoxProject#30. Signed-off-by: Simon Lauger <simon@lauger.de>
Member
|
Thanks for the fix and the idea with the running_as_root? guard - that's a clean approach and consistent with how the class already handles the root check in find_user_and_group. I noticed the fix only covers forcibly_symlink, but there are two more FileUtils.chown calls in the same file that also fail in rootless containers. I liked the approach and adopted it for all three call sites in #32 (plus added specs). |
3 tasks
slauger
added a commit
to slauger/openvoxserver-ca
that referenced
this pull request
Apr 10, 2026
Guard all three FileUtils.chown call sites in file_system.rb with the existing running_as_root? check so that openvoxserver-ca no longer crashes when running inside rootless containers (e.g. podman rootless, OpenShift with arbitrary UIDs) where the process lacks CAP_CHOWN. Affected methods: forcibly_symlink, write_file, ensure_dir. In these environments file ownership is typically managed through SGID bits and g=u permission patterns instead of explicit chown calls. Inspired by the approach in OpenVoxProject#30. Signed-off-by: Simon Lauger <simon@lauger.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi!
puppetserver ca setup/puppetserver ca importcurrently fail in non-root/containerized environments when CA directory compatibility symlinks are created.Puppetserver::Ca::Utils::FileSystem.forcibly_symlinkalways callsFileUtils.chown(...)on the symlink target after creating it.When running without
CAP_CHOWN(for example, arbitrary UID containers), this raisesErrno::EPERMand aborts the command.This PR should ensure that ownership is only harmonized when running as root.
Added unit tests for
Puppetserver::Ca::Utils::FileSystem.forcibly_symlink:FileUtils.chownFileUtils.chownwith source uid/gidAlso verified related setup/import specs still pass.
Thanks!
PS: This PR will remove the need for this