Don't use --user and --userns in remote containers

Using them results in files being copied back to host to be owned by the guest user instead of the host user. e.g. $ podman create --name temp --user 1000:1000 --userns=keep-id -it \ quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11 $ podman cp temp:/opt/graalvm/bin/native-image remote-native-image $ ls -la remote-native-image -rwxr-xr-x. 1 100000 100000 14641161 Feb 14 03:28 remote-native-image* $ id -u 1000
quarkusio · Feb 24, 2021 · a8969db · a8969db
1 parent 87fbe78
commit a8969db
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 17 deletions.
diff --git a/...oyment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java b/...oyment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java
@@ -1,7 +1,5 @@
 package io.quarkus.deployment.pkg.steps;
 
-import static io.quarkus.deployment.pkg.steps.LinuxIDUtil.getLinuxID;
-
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
@@ -12,7 +10,6 @@
 import java.util.function.Function;
 import java.util.stream.Stream;
 
-import org.apache.commons.lang3.SystemUtils;
 import org.jboss.logging.Logger;
 
 import io.quarkus.deployment.pkg.NativeConfig;
@@ -33,23 +30,10 @@ public NativeImageBuildContainerRunner(NativeConfig nativeConfig, Path outputDir
         containerRuntime = nativeConfig.containerRuntime.orElseGet(NativeImageBuildContainerRunner::detectContainerRuntime);
         log.infof("Using %s to run the native image builder", containerRuntime.getExecutableName());
 
-        List<String> containerRuntimeArgs = new ArrayList<>();
-        Collections.addAll(containerRuntimeArgs, "--env", "LANG=C");
+        this.baseContainerRuntimeArgs = new String[] { "--env", "LANG=C" };
 
         outputPath = outputDir == null ? null : outputDir.toAbsolutePath().toString();
 
-        if (SystemUtils.IS_OS_LINUX) {
-            String uid = getLinuxID("-ur");
-            String gid = getLinuxID("-gr");
-            if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
-                Collections.addAll(containerRuntimeArgs, "--user", uid + ":" + gid);
-                if (containerRuntime == NativeConfig.ContainerRuntime.PODMAN) {
-                    // Needed to avoid AccessDeniedExceptions
-                    containerRuntimeArgs.add("--userns=keep-id");
-                }
-            }
-        }
-        this.baseContainerRuntimeArgs = containerRuntimeArgs.toArray(new String[0]);
     }
 
     @Override

diff --git a/...t/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java b/...t/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java
@@ -1,5 +1,7 @@
 package io.quarkus.deployment.pkg.steps;
 
+import static io.quarkus.deployment.pkg.steps.LinuxIDUtil.getLinuxID;
+
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.List;
@@ -21,7 +23,18 @@ protected List<String> getContainerRuntimeBuildArgs() {
         String volumeOutputPath = outputPath;
         if (SystemUtils.IS_OS_WINDOWS) {
             volumeOutputPath = FileUtil.translateToVolumePath(volumeOutputPath);
+        } else if (SystemUtils.IS_OS_LINUX) {
+            String uid = getLinuxID("-ur");
+            String gid = getLinuxID("-gr");
+            if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
+                Collections.addAll(containerRuntimeArgs, "--user", uid + ":" + gid);
+                if (containerRuntime == NativeConfig.ContainerRuntime.PODMAN) {
+                    // Needed to avoid AccessDeniedExceptions
+                    containerRuntimeArgs.add("--userns=keep-id");
+                }
+            }
         }
+
         Collections.addAll(containerRuntimeArgs, "--rm", "-v",
                 volumeOutputPath + ":" + NativeImageBuildStep.CONTAINER_BUILD_VOLUME_PATH + ":z");
         return containerRuntimeArgs;