Skip to content

fix: rootless support for Alpine container image#123

Merged
rwaffen merged 1 commit intoOpenVoxProject:mainfrom
slauger:fix/alpine-rootless-chown
Apr 7, 2026
Merged

fix: rootless support for Alpine container image#123
rwaffen merged 1 commit intoOpenVoxProject:mainfrom
slauger:fix/alpine-rootless-chown

Conversation

@slauger
Copy link
Copy Markdown
Member

@slauger slauger commented Apr 2, 2026
edited
Loading

Summary

  • Patches out FileUtils.chown calls in openvoxserver-ca gem — these fail in rootless containers because the process lacks CAP_CHOWN. The directory ownership is already handled correctly by the g=u / SGID permission pattern.
  • Patches the foreground script to use touch + chmod instead of install --owner --group for the restartcounter file, which also requires CAP_CHOWN.

Both patches are the same approach used in the openvox-operator.

Tested on Linux with podman and bind-mounted CA directory — container starts successfully.

Note: When bind-mounting the CA directory with podman rootless, users need to ensure the directory is writable by the container user, e.g. using the :U volume flag.

Ref: #121

@slauger slauger requested a review from a team as a code owner April 2, 2026 21:40
@slauger slauger changed the title fix: patch out FileUtils.chown for rootless Alpine containers fix: rootless support for Alpine and Ubuntu container images Apr 2, 2026
@slauger slauger force-pushed the fix/alpine-rootless-chown branch from 2d68854 to 8af527d Compare April 2, 2026 22:28
@slauger slauger changed the title fix: rootless support for Alpine and Ubuntu container images fix: rootless support for Alpine container image Apr 2, 2026
@slauger slauger mentioned this pull request Apr 2, 2026
Open
rwaffen
rwaffen reviewed Apr 7, 2026
View reviewed changes
Comment thread openvoxserver/Containerfile.alpine Outdated
@slauger slauger force-pushed the fix/alpine-rootless-chown branch 2 times, most recently from f5a834a to 7c51cb5 Compare April 7, 2026 08:20
bastelfreak
bastelfreak reviewed Apr 7, 2026
View reviewed changes
Comment thread openvoxserver/Containerfile.alpine Outdated
@slauger slauger force-pushed the fix/alpine-rootless-chown branch from 7c51cb5 to bf99a75 Compare April 7, 2026 08:35
bastelfreak
bastelfreak reviewed Apr 7, 2026
View reviewed changes
Comment thread openvoxserver/Containerfile.alpine Outdated
@slauger
fix: rootless Alpine container support
601abd0 
Patch out chown calls that fail without CAP_CHOWN in rootless
containers. Use find instead of hardcoded gem paths so patches
survive Ruby and gem version changes.

Signed-off-by: Simon Lauger <simon@lauger.de>
@slauger slauger force-pushed the fix/alpine-rootless-chown branch from bf99a75 to 601abd0 Compare April 7, 2026 09:02
@slauger
Copy link
Copy Markdown
Member Author

slauger commented Apr 7, 2026

Maybe we should also add some tests - e.g. with https://github.com/googlecontainertools/container-structure-test

bastelfreak
bastelfreak reviewed Apr 7, 2026
View reviewed changes
Comment thread openvoxserver/Containerfile.alpine
rwaffen
rwaffen approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rwaffen rwaffen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slauger slauger mentioned this pull request Apr 7, 2026
Closed
3 tasks
@rwaffen rwaffen merged commit db10be5 into OpenVoxProject:main Apr 7, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

@rwaffen rwaffen rwaffen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Container Todos
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slauger @bastelfreak @rwaffen