On 6/19/2026 11:41 AM, Pierrick Bouvier wrote:
On 6/19/2026 6:53 AM, Matheus Tavares Bernardino wrote:
On Thu, 18 Jun 2026 21:31:59 -0700 Brian Cain <[email protected]>
wrote:
...
Download the tarball to a file and ignore tar errors during extraction
with --no-same-owner and --no-same-permissions.
tar's man page says --no-same-owner and --no-same-permissions are "default for
ordinary users". Isn't that the case for rootless podman?
By default, you're still root in the container, even though id 0 is
mapped to your original user in the kernel. So from tar point of view,
it's not an ordinary user.
The side effect is that tar will try to apply the original user id,
which gets mapped in the range configured by /set/subuid, which ends up
being different from yours, and thus results in a
'Cannot change ownership: Operation not permitted'.
Yeah - so apparently I can't seem to live without the `|| true`. But
Matheus recommended `--fail` for the curl, which makes a lot of sense to
me regardless of the behavior of `tar`.
So, I'll send a v2 with that change.
Signed-off-by: Brian Cain <[email protected]>
---
tests/docker/dockerfiles/debian-hexagon-cross.docker | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.docker
b/tests/docker/dockerfiles/debian-hexagon-cross.docker
index 23e8bb2fb26..817c903246a 100644
--- a/tests/docker/dockerfiles/debian-hexagon-cross.docker
+++ b/tests/docker/dockerfiles/debian-hexagon-cross.docker
@@ -49,7 +49,12 @@ ENV
TOOLCHAIN_BASENAME=clang+llvm-${TOOLCHAIN_RELEASE}-cross-hexagon-unknown-lin
ENV
TOOLCHAIN_URL=https://artifacts.codelinaro.org/artifactory/codelinaro-toolchain-for-hexagon/${TOOLCHAIN_RELEASE}_/${TOOLCHAIN_BASENAME}.tar.zst
ENV CCACHE_WRAPPERSDIR=/usr/libexec/ccache-wrappers
-RUN curl -#SL "$TOOLCHAIN_URL" | tar --zstd -xC "$TOOLCHAIN_INSTALL"
+# Ignore tar's chmod/lchmod EPERM on the toolchain symlinks and directories,
+# which rootless podman's overlay storage rejects (harmless mode metadata).
+RUN curl -#SLo /tmp/toolchain.tar.zst "$TOOLCHAIN_URL" && \
+ { tar --zstd --no-same-owner --no-same-permissions \
+ -xf /tmp/toolchain.tar.zst -C "$TOOLCHAIN_INSTALL" || true; } && \
+ rm -f /tmp/toolchain.tar.zst
Hmm, I think the "|| true" may mask some real failures. For example, if
the URL is invalid, curl would still exit with no error code, but the output
file would contain something like "errors" : [ { "status" : 404 } ]. Then,
tar would fail to unpack that but || true would mask it.
ENV PATH=$PATH:${TOOLCHAIN_INSTALL}/${TOOLCHAIN_BASENAME}/x86_64-linux-gnu/bin
ENV MAKE=/usr/bin/make
# As a final step configure the user (if env is defined)
--
2.34.1
