In container build output is not executable anymore

[cescoffier]

Describe the bug

Let's imagine I have a Quarkus application (the simplest Hello Quarkus app works for this case).
If I compile it into native with:

mvn clean verify -Dnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -DskipTests

The output is not executable:

.rw-------@  49M clement  3 Feb 08:42 code-with-quarkus-1.0.0-SNAPSHOT-runner

It's not an issue on my machine, as it's the wrong OS.

The issue starts to be a bit more problematic when you build the container using our provided dockerfile:

> podman build -f src/main/docker/Dockerfile.native -t quarkus/code-with-quarkus .
> podman run -i --rm -p 8080:8080 quarkus/code-with-quarkus
Error: preparing container 9a5d82647353ac8bc1700e7dc549e693a02ef549b435641cefa0d1fa59731851 for attach: crun: open executable: Permission denied: OCI permission denied

It makes sense... as the executable is not executable.

Workaround:

So, to make it work you need to edit the docker file to become:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10
WORKDIR /work/
RUN chown 1001 /work \
    && chmod "g+rwX" /work \
    && chown 1001:root /work
COPY --chown=1001:root  --chmod=755 target/*-runner /work/application # chmod added

EXPOSE 8080
USER 1001

ENTRYPOINT ["./application", "-Dquarkus.http.host=0.0.0.0"]

I don't know what changed (it can be native-image, postman, etc.). Unfortunately, I cannot test with Docker. But we need to edit our documentation to add the chmod.

Expected behavior

The container should run without error

Actual behavior

Error: preparing container 9a5d82647353ac8bc1700e7dc549e693a02ef549b435641cefa0d1fa59731851 for attach: crun: open executable: Permission denied: OCI permission denied

How to Reproduce?

Reproducer:

1. Generate a new simple application from https://code.quarkus.io
2. Compile the native executable using a in-container build (mvn clean verify -Dnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -DskipTests) - Note at that point, you can check the permission of the executable in the target directory
3. Build the container with the provided dockerfile: podman build -f src/main/docker/Dockerfile.native -t quarkus/code-with-quarkus .
4. Run the container: podman run -i --rm -p 8080:8080 quarkus/code-with-quarkus

Output of uname -a or ver

Darwin cescoffi-mac 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 19:01:59 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6000 arm64

Output of java -version

openjdk 21.0.5 2024-10-15 LTS OpenJDK Runtime Environment Temurin-21.0.5+11 (build 21.0.5+11-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.5+11 (build 21.0.5+11-LTS, mixed mode, sharing)

Quarkus version or git rev

3.18.1

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)

Additional information

No response

[cescoffier]

@gsmet this is what I mentioned to you on Friday. If you could test it on Linux, it would be super useful.

[quarkus-bot]

/cc @Karm (native-image), @MichalMaler (documentation), @galderz (native-image), @geoand (jib), @ia3andy (codestart), @maxandersen (podman), @quarkusio/devtools (codestart), @rolfedh (documentation), @sheilamjones (documentation), @zakkak (native-image)

[gsmet]

Will check soon.

[maxandersen]

spotted this in podman issue db: containers/podman#15299

it talks about windows, but I'm wondering if its a general podman machine issue. @n1hility might know?

[maxandersen]

same reported here #28414

[gsmet]

Yeah might be a Podman issue. It works fine with Docker on Linux.

While it should probably get fixed in Podman, I think we also need to fix the Dockerfiles to set the executable bit. Because on Windows, we won't be able to set the executable bit in the file system anyway.

[cescoffier]

I agree with @gsmet - we need to fix our dockerfile.

[zakkak]

I can't reproduce neither on Linux (x86) nor on Mac (M3) using podman 5.3.2 on linux and 5.2.5 on mac

[cescoffier]

@zakkak Which Podman Desktop version were you using on Mac?

[zakkak]

@zakkak Which Podman Desktop version were you using on Mac?

v1.16.1

[cescoffier]

Thanks, let me jump to that version and retry. I didn't see anything related in the release notes.

[cescoffier]

@zakkak Weird... Still not executable:

.rw-------@  49M clement  5 Feb 14:43 code-with-quarkus-1.0.0-SNAPSHOT-runner

Did you change something in your podman machine (like having the same user id on your host and in the machine?)

[cescoffier]

Hum, no, because mine matches:

Podman Machine:

uid=501(core) gid=1000(core) groups=1000(core),4(adm),10(wheel),16(sudo),190(systemd-journal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Host:

uid=501(clement) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),101(access_bpf),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)

[zakkak]

Mine look similar to yours :/

What's your podman machine version? Mine says 5.1.1 (built 1717459200)

[cescoffier]

Oh oh, I'm on Podman v 5.3.2 with GPU enabled (LibKrun) - it could be the difference.