In container build output is not executable anymore

[cescoffier]

Describe the bug

Let's imagine I have a Quarkus application (the simplest Hello Quarkus app works for this case).
If I compile it into native with:

mvn clean verify -Dnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -DskipTests

The output is not executable:

.rw-------@  49M clement  3 Feb 08:42 code-with-quarkus-1.0.0-SNAPSHOT-runner

It's not an issue on my machine, as it's the wrong OS.

The issue starts to be a bit more problematic when you build the container using our provided dockerfile:

> podman build -f src/main/docker/Dockerfile.native -t quarkus/code-with-quarkus .
> podman run -i --rm -p 8080:8080 quarkus/code-with-quarkus
Error: preparing container 9a5d82647353ac8bc1700e7dc549e693a02ef549b435641cefa0d1fa59731851 for attach: crun: open executable: Permission denied: OCI permission denied

It makes sense... as the executable is not executable.

Workaround:

So, to make it work you need to edit the docker file to become:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10
WORKDIR /work/
RUN chown 1001 /work \
    && chmod "g+rwX" /work \
    && chown 1001:root /work
COPY --chown=1001:root  --chmod=755 target/*-runner /work/application # chmod added

EXPOSE 8080
USER 1001

ENTRYPOINT ["./application", "-Dquarkus.http.host=0.0.0.0"]

I don't know what changed (it can be native-image, postman, etc.). Unfortunately, I cannot test with Docker. But we need to edit our documentation to add the chmod.

Expected behavior

The container should run without error

Actual behavior

Error: preparing container 9a5d82647353ac8bc1700e7dc549e693a02ef549b435641cefa0d1fa59731851 for attach: crun: open executable: Permission denied: OCI permission denied

How to Reproduce?

Reproducer:

1. Generate a new simple application from https://code.quarkus.io
2. Compile the native executable using a in-container build (mvn clean verify -Dnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -DskipTests) - Note at that point, you can check the permission of the executable in the target directory
3. Build the container with the provided dockerfile: podman build -f src/main/docker/Dockerfile.native -t quarkus/code-with-quarkus .
4. Run the container: podman run -i --rm -p 8080:8080 quarkus/code-with-quarkus

Output of uname -a or ver

Darwin cescoffi-mac 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 19:01:59 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6000 arm64

Output of java -version

openjdk 21.0.5 2024-10-15 LTS OpenJDK Runtime Environment Temurin-21.0.5+11 (build 21.0.5+11-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.5+11 (build 21.0.5+11-LTS, mixed mode, sharing)

Quarkus version or git rev

3.18.1

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)

Additional information

No response

[cescoffier]

@gsmet this is what I mentioned to you on Friday. If you could test it on Linux, it would be super useful.

[quarkus-bot]

/cc @Karm (native-image), @MichalMaler (documentation), @galderz (native-image), @geoand (jib), @ia3andy (codestart), @maxandersen (podman), @quarkusio/devtools (codestart), @rolfedh (documentation), @sheilamjones (documentation), @zakkak (native-image)

[gsmet]

Will check soon.

[maxandersen]

spotted this in podman issue db: containers/podman#15299

it talks about windows, but I'm wondering if its a general podman machine issue. @n1hility might know?