From 58c85f889f6ed723252d39a8f02dbf26afdfd503 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Tue, 16 Dec 2025 13:06:22 -0500 Subject: [PATCH] setup_container_runtime: Proper permission handling On fresh installs on Noble, `groups` returns `users`; not jenkins-build. ``` jenkins-build@toko01:~$ podman system reset --force podman system info WARN[0000] Found incomplete layer "92e4beace908310dc4c6a279e3a4cb7391da53fc9a8d3cce99402fdebe6b67da", deleting it ERRO[0002] 23 errors occurred: * unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/0ec3f2ca3bf6a1641caed388c53e76b63e9840354c473412e3deb7d00a510448/diff/usr: permission denied * unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/8a5ece4bcb661d397bb30a79c74d26e202c4536bf12d07bcf351d6c2fab65790/diff/usr: permission denied * unlinkat /home/jenkins-build/.local/share/containers/storage/overlay/ee5a1067f3e86d31a3bf233c0c60c6087b2bd39e9e9b3cb5cd8feea92f1e3692/diff/run: permission denied ``` Signed-off-by: David Galloway --- scripts/setup_container_runtime.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/setup_container_runtime.sh b/scripts/setup_container_runtime.sh index d9fbeb3e..7100b5b9 100755 --- a/scripts/setup_container_runtime.sh +++ b/scripts/setup_container_runtime.sh @@ -45,7 +45,17 @@ function setup_container_runtime () { test -d "$PODMAN_DIR" && command -v restorecon && sudo restorecon -R -T0 -x "$PODMAN_DIR" PODMAN_STORAGE_DIR="$PODMAN_DIR/storage" if [ -d "$PODMAN_STORAGE_DIR" ]; then - sudo chgrp -R "$(groups | cut -d' ' -f1)" "$PODMAN_STORAGE_DIR" + # If someone ran "sudo podman" in a job, it can leave root-owned junk in the + # *rootless* store and brick future runs. Detect and surgically fix. + if sudo find "$PODMAN_STORAGE_DIR" -xdev -mindepth 1 -maxdepth 5 -user root -print -quit | grep -q .; then + echo "Detected root-owned files inside rootless podman store; repairing ownership." + sudo chown -R "$(id -u):$(id -g)" "$PODMAN_STORAGE_DIR" + + # Also repair common “diff/work not writable” breakage without recursive chmod or chgrp: + # ensure the store dirs are at least user-writable so podman can clean up. + sudo find "$PODMAN_STORAGE_DIR/overlay" -xdev -type d \( -name diff -o -name work \) -exec chmod u+rwx {} + 2>/dev/null || true + sudo find "$PODMAN_STORAGE_DIR/overlay" -xdev -type d -path '*/work/work' -exec chmod u+rwx {} + 2>/dev/null || true + fi if [ "$(podman unshare du -s --block-size=1G "$PODMAN_STORAGE_DIR" | awk '{print $1}')" -ge 50 ]; then time podman system prune --force || \ time podman image prune --force --all --external -- 2.47.3