Use PRoot with mksquashfs to preserve file owner/group

.github/workflows/ci.yml

@@ -357,7 +357,7 @@ jobs:
         run: |
           set -e
           sudo apt-get -q update
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev fakeroot cryptsetup dbus-user-session 
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev fakeroot cryptsetup dbus-user-session 
           sudo DEBIAN_FRONTEND=noninteractive apt-get install -y autoconf automake libtool pkg-config libfuse3-dev zlib1g-dev liblzo2-dev liblz4-dev liblzma-dev libzstd-dev
 
       - uses: actions/cache/restore@v4
@@ -414,7 +414,7 @@ jobs:
           go-version: 1.25.6
 
       - name: Fetch deps
-        run: sudo apt-get -q update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev cryptsetup dbus-user-session
+        run: sudo apt-get -q update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev cryptsetup dbus-user-session
 
       - name: Build and install Apptainer
         run: |
@@ -463,7 +463,7 @@ jobs:
         run: |
           set -e
           sudo apt-get -q update
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev uidmap fakeroot cryptsetup dbus-user-session
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev uidmap fakeroot cryptsetup dbus-user-session
           sudo DEBIAN_FRONTEND=noninteractive apt-get install -y autoconf automake libtool pkg-config libfuse3-dev zlib1g-dev liblzo2-dev liblz4-dev liblzma-dev libzstd-dev
 
       - name: Download, compile, and install dependent packages

.gitignore

@@ -5,6 +5,7 @@ apptainer-*.tar.gz
 e2fsprogs-*
 fuse-overlayfs-*
 gocryptfs-*
+PRoot-*
 squashfuse-*
 squashfs-tools-*
 *.m4

CHANGELOG.md

@@ -12,6 +12,20 @@ For older changes see the [archived Singularity change log](https://github.com/a
   `APPTAINER_NOENV` environment variable that can provide a
   comma-separated list of environment variables to skip importing from
   the host environment into the container.
+- Preserve owner and group information on files in containers downloaded from
+  OCI registries when building SIF files, even for unprivileged users.
+  This takes advantage of the fact that the library (umoci) that downloads
+  containers preserves owner and group information in an extended attribute.
+  Adds bundled tool `proot` which is modified from the upstream tool by the
+  rootless-containers project to make the owner and group appear to be in the
+  ordinary `stat()` information.  That tool is now used when invoking
+  `mksquashfs` to create the filesystem partition in a SIF file.  It can
+  be disabled with the hidden build option `--ignore-proot`.
+- When unsquashing an image while running under a root-mapped user
+  namespace (such as when using fakeroot without subuid mapping), insert
+  another namespace mapping back to the original user so unsquashfs
+  doesn't try (and fail) to change the owner and group information on the
+  unpacked files.
 - Record image digest metadata (sha256 from `RepoDigests`), for OCI registry images.
   Also add the image name (ref) of the image from "docker", with registry and tag.
   This is useful for traceability, when using `docker.io` or a tag like `latest`.
@@ -201,7 +215,7 @@ Changes since 1.3.6
   available and to ensure that all compression types are available.
   This includes the programs `mksquashfs` and `unsquashfs`.
 - Statistics are now normally available for instances that are
-  started by non-root users on cgroups v2 systems.  
+  started by non-root users on cgroups v2 systems.
   The instance will be started in the current cgroup.  Information
   about configuration issues that prevent collection of statistics are
   displayed as INFO messages by default.

INSTALL.md

@@ -20,6 +20,9 @@ sudo apt-get update
 sudo apt-get install -y \
     build-essential \
     libseccomp-dev \
+    libtalloc-dev \
+    libattr1-dev \
+    libprotobuf-c-dev \
     uidmap \
     fakeroot \
     cryptsetup \
@@ -39,11 +42,16 @@ On RHEL or its derivatives or Fedora:
 ```sh
 # Install basic tools for compiling
 sudo dnf groupinstall -y 'Development Tools'
-# Ensure EPEL repository is available
+# Ensure EPEL repository is available (skip on Fedora)
 sudo dnf install -y epel-release
+# Enable the CodeReady Builder repository (skip on Fedora)
+sudo crb enable
 # Install RPM packages for dependencies
 sudo dnf install -y \
     libseccomp-devel \
+    libtalloc-devel \
+    libattr-devel \
+    protobuf-c-devel \
     fakeroot \
     cryptsetup \
     wget git
@@ -62,6 +70,9 @@ On SLE/openSUSE
 # Install RPM packages for dependencies
 sudo zypper install -y \
   libseccomp-devel \
+  libtalloc-devel \
+  libattr-devel \
+  libprotobuf-c-devel \
   libuuid-devel \
   openssl-devel \
   fakeroot \

cmd/internal/cli/build.go

@@ -55,6 +55,7 @@ var buildArgs struct {
 	userns              bool     // Enable user namespaces
 	ignoreSubuid        bool     // Ignore /etc/subuid entries (hidden)
 	ignoreFakerootCmd   bool     // Ignore fakeroot command (hidden)
+	ignoreProot         bool     // Ignore proot command (hidden)
 	ignoreUserns        bool     // Ignore user namespace(hidden)
 	remote              bool     // Remote flag(hidden, only for helpful error message)
 	buildVarArgs        []string // Variables passed to build procedure.
@@ -313,6 +314,17 @@ var buildIgnoreFakerootCommand = cmdline.Flag{
 	Hidden:       true,
 }
 
+// --ignore-proot
+var buildIgnoreProot = cmdline.Flag{
+	ID:           "buildIgnoreProotFlag",
+	Value:        &buildArgs.ignoreProot,
+	DefaultValue: false,
+	Name:         "ignore-proot",
+	Usage:        "ignore proot",
+	EnvKeys:      []string{"IGNORE_PROOT"},
+	Hidden:       true,
+}
+
 // --ignore-userns
 var buildIgnoreUsernsFlag = cmdline.Flag{
 	ID:           "buildIgnoreUsernsFlag",
@@ -402,6 +414,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&buildUsernsFlag, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildIgnoreSubuidFlag, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildIgnoreFakerootCommand, buildCmd)
+		cmdManager.RegisterFlagForCmd(&buildIgnoreProot, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildIgnoreUsernsFlag, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildRemoteFlag, buildCmd)
 

cmd/internal/cli/build_linux.go

@@ -203,6 +203,10 @@ func runBuild(cmd *cobra.Command, args []string) {
 		}
 	}
 
+	if buildArgs.ignoreProot {
+		os.Setenv("APPTAINER_IGNORE_PROOT", "1")
+	}
+
 	if buildArgs.nvidia {
 		os.Setenv("APPTAINER_NV", "1")
 	}

dist/debian/control

@@ -13,6 +13,9 @@ Build-Depends:
  uuid-dev,
  devscripts,
  libseccomp-dev,
+ libtalloc-dev,
+ libattr1-dev,
+ libprotobuf-c-dev,
  cryptsetup,
  golang-go (>= 2:1.13~~),
  autoconf,

dist/rpm/apptainer.spec.in

@@ -34,6 +34,7 @@
 %global e2fsprogs_version 1.47.3
 %global fuse_overlayfs_version 1.16
 %global squashfs_tools_version 4.7.5
+%global PRoot_version 5.4.0-rootless.2
 
 # The last singularity version number in EPEL/Fedora
 %global last_singularity_version 3.8.7-3
@@ -71,10 +72,15 @@ Patch122: e2fsprogs-250.patch
 # URL: https://github.com/tytso/e2fsprogs/pull/251.patch
 Patch123: e2fsprogs-251.patch
 %endif
+%if "%{?fuse_overlayfs_version}" != ""
 Source13: https://github.com/containers/fuse-overlayfs/archive/v%{fuse_overlayfs_version}/fuse-overlayfs-%{fuse_overlayfs_version}.tar.gz
+%endif
 %if "%{?squashfs_tools_version}" != ""
 Source14: https://github.com/plougher/squashfs-tools/archive/%{squashfs_tools_version}/squashfs-tools-%{squashfs_tools_version}.tar.gz
 %endif
+%if "%{?PRoot_version}" != ""
+Source15: https://github.com/rootless-containers/PRoot/archive/v%{PRoot_version}/PRoot-%{PRoot_version}.tar.gz
+%endif
 
 # This Conflicts is in case someone tries to install the main apptainer
 # package when an old singularity package is installed.  An Obsoletes is on
@@ -97,12 +103,25 @@ Obsoletes: singularity-runtime < 3.0
 Provides: sif-runtime
 Conflicts: sif-runtime
 
+%if "%{?gocryptfs_version}" != ""
 Provides: bundled(gocryptfs) = %{gocryptfs_version}
+%endif
+%if "%{?squashfuse_version}" != ""
 Provides: bundled(squashfuse) = %{squashfuse_version}
+%endif
+%if "%{?e2fsprogs_version}" != ""
 Provides: bundled(e2fsprogs) = %{e2fsprogs_version}
 Provides: bundled(fuse2fs) = %{e2fsprogs_version}
+%endif
+%if "%{?fuse_overlayfs_version}" != ""
 Provides: bundled(fuse-overlayfs) = %{fuse_overlayfs_version}
+%endif
+%if "%{?squashfs_tools_version}" != ""
 Provides: bundled(squashfs-tools) = %{squashfs_tools_version}
+%endif
+%if "%{?PRoot_version}" != ""
+Provides: bundled(PRoot) = %{PRoot_version}
+%endif
 @BUNDLED_PROVIDES@
 
 %if "%{_target_vendor}" == "suse"
@@ -120,6 +139,9 @@ BuildRequires: git
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: libseccomp-devel
+BuildRequires: libtalloc-devel
+BuildRequires: libattr-devel
+BuildRequires: protobuf-c
 BuildRequires: cryptsetup
 BuildRequires: fuse3-devel
 %if ("%{?squashfuse_version}" != "") || ("%{e2fsprogs_version}" != "") || ("%{fuse_overlayfs_version}" != "") || ("%{?squashfs_tools_version}" != "")
@@ -224,6 +246,10 @@ install -m 755 squashfs-tools-%{squashfs_tools_version}/squashfs-tools/mksquashf
 install -m 755 squashfs-tools-%{squashfs_tools_version}/squashfs-tools/unsquashfs %{buildroot}%{_libexecdir}/%{name}/bin/unsquashfs
 %endif
 
+%if "%{?PRoot_version}" != ""
+install -m 755 PRoot-%{PRoot_version}/src/proot %{buildroot}%{_libexecdir}/%{name}/bin/proot
+%endif
+
 %post
 # $1 in %%posttrans cannot distinguish between fresh installs and upgrades,
 # so check it here and create a file to pass the knowledge to that step
@@ -295,6 +321,9 @@ fi
 %{_libexecdir}/%{name}/bin/mksquashfs
 %{_libexecdir}/%{name}/bin/unsquashfs
 %endif
+%if "%{?PRoot_version}" != ""
+%{_libexecdir}/%{name}/bin/proot
+%endif
 %{_libexecdir}/%{name}/cni
 %{_libexecdir}/%{name}/lib
 %dir %{_sysconfdir}/%{name}