Extract cross toolchains with --no-same-owner for rootless podman#9
Merged
Conversation
The musl.cc / panda.re cross-toolchain tarballs are packed with the upstream maintainer's uid/gid (e.g. 98601130:98600513). `tar -xz` preserves that ownership, so the resulting image has files owned by those very high IDs. Under docker this is harmless, but it breaks rootless podman: pulling/unpacking the image into a rootless user namespace fails because those IDs exceed the user's /etc/subuid|subgid range: potentially insufficient UIDs or GIDs available in user namespace (requested 98601130:98600513 ...): Check /etc/subuid and /etc/subgid Add --no-same-owner to every cross-toolchain extraction so the files are owned by the build user (root, id 0) instead. The image is functionally identical and now pulls/runs/builds under rootless podman without requiring every host to widen its subuid range.
musl.cc blocks GitHub-hosted runner IP ranges wholesale (since 2025-05-27), so the cross-toolchain `wget https://musl.cc/...` steps fail on ubuntu-latest: Connecting to musl.cc (musl.cc)|216.82.192.11|:443... (stalls) ERROR: ... wget https://musl.cc/powerpc64-linux-musl-cross.tgz ... exit code 2 Move the PR check to the self-hosted rehosting-arc runners (whose egress isn't blocked), mirroring publish.yml: trust the Harbor cert, log in, set up buildx with the insecure-registry config, pull base images via the Harbor proxy, and read the publish layer cache so unchanged layers don't re-download. Builds the `final` target to validate; does not push (PR check).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The cross-toolchain tarballs (musl.cc, panda.re) are packed with the upstream maintainer's uid/gid — e.g. 98601130:98600513.
tar -xzpreserves that ownership, so the built image contains files owned by those very high IDs.Under docker this is harmless. Under rootless podman it's fatal: pulling/unpacking the image into the user namespace fails because those IDs exceed the user's
/etc/subuid//etc/subgidrange:This blocks any rootless-podman build of the penguin image (which does
FROM rehosting/embedded-toolchains AS cross_builder).Fix
Add
--no-same-ownerto every cross-toolchaintarextraction (17/opt/crossextractions + the loongarch/tmpone). Extracted files are then owned by the build user (root, id 0) instead of the upstream IDs./etc/subuidwidening — i.e. the image "runs in more places."Verification
Built the full image under rootless podman (podman 3.4.4 / buildah 1.23.1): it completed all 53 assembly steps + rust targets (
Successfully tagged), where the unpatched image couldn't even be unpacked rootless. The penguin image then built on top of it under rootless podman and ran an x86_64 KVM emulation to completion.