Merge pull request #7 from stacklok/fix/best-effort-chown-macos

Make rootfs hook chown best-effort for macOS support

Author: JAORMX

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
 	github.com/sergi/go-diff v1.4.0
 	github.com/spf13/cobra v1.10.2
-	github.com/stacklok/propolis v0.0.6
+	github.com/stacklok/propolis v0.0.7-0.20260303111539-b54bd3284abf
 	github.com/stacklok/toolhive v0.10.0
 	github.com/stacklok/toolhive-core v0.0.6
 	github.com/stretchr/testify v1.11.1

go.sum

@@ -628,8 +628,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
-github.com/stacklok/propolis v0.0.6 h1:Szfo4xeYX3pQpHzDOzSomo2zngIyFE3t4yRA4MqVPp0=
-github.com/stacklok/propolis v0.0.6/go.mod h1:GK7TUXCm4J8Hh/QFoIGuXE4szSt8PWDZWzj1JPpqxVU=
+github.com/stacklok/propolis v0.0.7-0.20260303111539-b54bd3284abf h1:HsQYq1H56kvEbgc+/4qwFpEr3HcyfMQ0b8dCcCHwesU=
+github.com/stacklok/propolis v0.0.7-0.20260303111539-b54bd3284abf/go.mod h1:GK7TUXCm4J8Hh/QFoIGuXE4szSt8PWDZWzj1JPpqxVU=
 github.com/stacklok/toolhive v0.10.0 h1:yXTR2ZbD83tGjSjSS2ypg61dYWZ3AwKxCyq3cACELOc=
 github.com/stacklok/toolhive v0.10.0/go.mod h1:5suFGdrDM9j8Vh/ULROVO2qImpm+kMklXHcVBNFxL9Y=
 github.com/stacklok/toolhive-core v0.0.6 h1:JLJpL4qyGh3z/fZKk+NNavziNCdtJlHoqroqBdWH6x8=

internal/infra/vm/mcpconfig.go

@@ -7,16 +7,30 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log/slog"
 	"os"
 	"path/filepath"
 
 	toml "github.com/pelletier/go-toml/v2"
 )
 
 // ChownFunc abstracts file ownership changes for testability.
-// Production code passes os.Chown; tests can pass a recording mock.
+// Production code uses bestEffortLchown; tests can pass a recording mock.
 type ChownFunc func(path string, uid, gid int) error
 
+// bestEffortLchown attempts os.Lchown and silently ignores permission errors.
+// On macOS non-root users cannot chown to a different UID; the guest init
+// will fix ownership at boot time. Lchown is used instead of Chown to avoid
+// following symlinks in the rootfs.
+func bestEffortLchown(path string, uid, gid int) error {
+	if err := os.Lchown(path, uid, gid); err != nil {
+		if !os.IsPermission(err) {
+			slog.Warn("lchown failed", "path", path, "uid", uid, "gid", gid, "err", err)
+		}
+	}
+	return nil
+}
+
 // sandboxHome is the home directory of the sandbox user inside the guest.
 // Config files are written here because /workspace is mounted via virtiofs
 // and would shadow anything written into the rootfs at that path.

internal/infra/vm/runner.go

@@ -149,7 +149,7 @@ func (r *PropolisRunner) Start(ctx context.Context, cfg domvm.VMConfig) (domvm.V
 			hooks.InjectFile("/etc/ssh/ssh_host_ecdsa_key", hostKeyPEM, 0o600),
 			InjectInitBinary(),
 			hooks.InjectEnvFile("/etc/sandbox-env", cfg.EnvVars),
-			InjectGitConfig(cfg.GitIdentity, cfg.HasGitToken, os.Chown),
+			InjectGitConfig(cfg.GitIdentity, cfg.HasGitToken, bestEffortLchown),
 		),
 		propolis.WithInitOverride("/bbox-init"),
 		propolis.WithPostBoot(func(ctx context.Context, _ *propolis.VM) error {
@@ -198,7 +198,7 @@ func (r *PropolisRunner) Start(ctx context.Context, cfg domvm.VMConfig) (domvm.V
 	// Add MCP config injection hook if host services and agent format are set.
 	if len(cfg.HostServices) > 0 && cfg.MCPConfigFormat != "" && cfg.MCPConfigFormat != agent.MCPConfigFormatNone {
 		opts = append(opts, propolis.WithRootFSHook(
-			InjectMCPConfig(cfg.MCPConfigFormat, topology.GatewayIP, cfg.HostServices[0].Port, os.Chown),
+			InjectMCPConfig(cfg.MCPConfigFormat, topology.GatewayIP, cfg.HostServices[0].Port, bestEffortLchown),
 		))
 	}