When using oc-mirror to push container images into a registry from a tar archive created by oc mirror, the resulting catalog image will fail to run because the file permissions of the /config directory are root only

    100%

    1.Set the system umask to 0077 per the RHEL 8 and RHEL 9 STIG
    2.Use oc mirror to mirror from a tar archive into a container registry
    3.Deploy the catalog created by oc-mirror
    

    Catalog container stuck in CrashLoopBackoff with error: compute digest: write tar: stat /configs/.: permission denied

   Catalog container runs correctly and operator is visible in the cluster operator hub 

    oc mirror creates files in the catalog image using the umask of the system that oc mirror is running on. The STIG required umask is 0077 (owner read/write only). This causes the /config directory to have 0700 permissions. The catalog images runs under a non-root service account which is not able to access the catalog file under /config inside the catalog container.

    While it is difficult for oc mirror to anticipate all kinds of problems related to the underlying host OS, this is a case where a system setting common to NAPS customers (applying the STIG) will result in oc-mirror creating non-working catalogs and customers being unable to deploy the operators they have mirrored.

    The current workaround is to manually set "umask 0022" in the terminal prior to running the oc-mirror command to push images from tar.