On 6/19/2026 6:53 AM, Matheus Tavares Bernardino wrote: > On Thu, 18 Jun 2026 21:31:59 -0700 Brian Cain <[email protected]> > wrote: >> > ... >> >> Download the tarball to a file and ignore tar errors during extraction >> with --no-same-owner and --no-same-permissions. > > tar's man page says --no-same-owner and --no-same-permissions are "default for > ordinary users". Isn't that the case for rootless podman? >
By default, you're still root in the container, even though id 0 is mapped to your original user in the kernel. So from tar point of view, it's not an ordinary user. The side effect is that tar will try to apply the original user id, which gets mapped in the range configured by /set/subuid, which ends up being different from yours, and thus results in a 'Cannot change ownership: Operation not permitted'. >> Signed-off-by: Brian Cain <[email protected]> >> --- >> tests/docker/dockerfiles/debian-hexagon-cross.docker | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.docker >> b/tests/docker/dockerfiles/debian-hexagon-cross.docker >> index 23e8bb2fb26..817c903246a 100644 >> --- a/tests/docker/dockerfiles/debian-hexagon-cross.docker >> +++ b/tests/docker/dockerfiles/debian-hexagon-cross.docker >> @@ -49,7 +49,12 @@ ENV >> TOOLCHAIN_BASENAME=clang+llvm-${TOOLCHAIN_RELEASE}-cross-hexagon-unknown-lin >> ENV >> TOOLCHAIN_URL=https://artifacts.codelinaro.org/artifactory/codelinaro-toolchain-for-hexagon/${TOOLCHAIN_RELEASE}_/${TOOLCHAIN_BASENAME}.tar.zst >> ENV CCACHE_WRAPPERSDIR=/usr/libexec/ccache-wrappers >> >> -RUN curl -#SL "$TOOLCHAIN_URL" | tar --zstd -xC "$TOOLCHAIN_INSTALL" >> +# Ignore tar's chmod/lchmod EPERM on the toolchain symlinks and directories, >> +# which rootless podman's overlay storage rejects (harmless mode metadata). >> +RUN curl -#SLo /tmp/toolchain.tar.zst "$TOOLCHAIN_URL" && \ >> + { tar --zstd --no-same-owner --no-same-permissions \ >> + -xf /tmp/toolchain.tar.zst -C "$TOOLCHAIN_INSTALL" || true; } && \ >> + rm -f /tmp/toolchain.tar.zst > > Hmm, I think the "|| true" may mask some real failures. For example, if > the URL is invalid, curl would still exit with no error code, but the output > file would contain something like "errors" : [ { "status" : 404 } ]. Then, > tar would fail to unpack that but || true would mask it. > >> ENV >> PATH=$PATH:${TOOLCHAIN_INSTALL}/${TOOLCHAIN_BASENAME}/x86_64-linux-gnu/bin >> ENV MAKE=/usr/bin/make >> # As a final step configure the user (if env is defined) >> -- >> 2.34.1 >>
