... Hugomods Container Images and rootless vs. non-root

This blog is powered by the Hugo static site generator. I run this Hugo installation in a rootless podman container. While looking for a fitting container image (so I don’t have to maintain my own) I found the hugomods docker images. They have a ton of images to run Hugo for all kinds of environments. I found various images tagged non-root and thought: Bam! That’s what I’m looking for! I was pretty surprised that it didn’t work. Instead this (simplified) podman call would give me a permission error:

❯ podman run --name hugolocal --rm -v ${PWD}:/src:Z -v ${HOME}/.cache/hugo_cache:/tmp/hugo_cache:Z hugomods/hugo:non-root server

Built in 0 ms
Error: error building site: failed to acquire a build lock: open /src/.hugo_build.lock: permission denied

Notice I did not forget to use the Z flags that are commonly used with rootless podman. So I was quite surprised: Why would a container image made for a rootless context give me exactly the problems it should avoid?

Turns out: non-root did not mean: Fitted for rootless containers, but quite the opposite: The user inside the hugomods non-root containers is, quite literally not root, but hugo. So it’s in fact used for root containers that should not run things as the root user. It makes a lot more sense, of course, but is exactly the opposite of what I had assumed. Dummy me.