setup_container_runtime: Proper permission handling

On fresh installs on Noble, `groups` returns `users`; not jenkins-build.

```
jenkins-build@toko01:~$ podman system reset --force
podman system info
WARN[0000] Found incomplete layer "92e4beace908310dc4c6a279e3a4cb7391da53fc9a8d3cce99402fdebe6b67da", deleting it
ERRO[0002] 23 errors occurred:
	* unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/0ec3f2ca3bf6a1641caed388c53e76b63e9840354c473412e3deb7d00a510448/diff/usr: permission denied
	* unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/8a5ece4bcb661d397bb30a79c74d26e202c4536bf12d07bcf351d6c2fab65790/diff/usr: permission denied
	* unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/ee5a1067f3e86d31a3bf233c0c60c6087b2bd39e9e9b3cb5cd8feea92f1e3692/diff/run: permission denied
```

Signed-off-by: David Galloway <david.galloway@ibm.com>

diff --git a/scripts/setup_container_runtime.sh b/scripts/setup_container_runtime.sh
index d9fbeb3edca998dbae7ac7173b8805467502a6b2..7100b5b9576a3621f29d395fcc29b8abde8f5940 100755 (executable)
--- a/scripts/setup_container_runtime.sh
+++ b/scripts/setup_container_runtime.sh
@@ -45,7 +45,17 @@ function setup_container_runtime () {
       test -d "$PODMAN_DIR" && command -v restorecon && sudo restorecon -R -T0 -x "$PODMAN_DIR"
       PODMAN_STORAGE_DIR="$PODMAN_DIR/storage"
       if [ -d "$PODMAN_STORAGE_DIR" ]; then
-        sudo chgrp -R "$(groups | cut -d' ' -f1)" "$PODMAN_STORAGE_DIR"
+        # If someone ran "sudo podman" in a job, it can leave root-owned junk in the
+        # *rootless* store and brick future runs. Detect and surgically fix.
+        if sudo find "$PODMAN_STORAGE_DIR" -xdev -mindepth 1 -maxdepth 5 -user root -print -quit | grep -q .; then
+          echo "Detected root-owned files inside rootless podman store; repairing ownership."
+          sudo chown -R "$(id -u):$(id -g)" "$PODMAN_STORAGE_DIR"
+
+          # Also repair common “diff/work not writable” breakage without recursive chmod or chgrp:
+          # ensure the store dirs are at least user-writable so podman can clean up.
+          sudo find "$PODMAN_STORAGE_DIR/overlay" -xdev -type d \( -name diff -o -name work \) -exec chmod u+rwx {} + 2>/dev/null || true
+          sudo find "$PODMAN_STORAGE_DIR/overlay" -xdev -type d -path '*/work/work' -exec chmod u+rwx {} + 2>/dev/null || true
+        fi
         if [ "$(podman unshare du -s --block-size=1G "$PODMAN_STORAGE_DIR" | awk '{print $1}')" -ge 50 ]; then
           time podman system prune --force || \
             time podman image prune --force --all --external