fix(hardened-images): don't override permissions in /usr/local, for #16

[stasadev]

The Issue

While testing a project with hardened images + this add-on, it didn't work:

$ ddev logs -s web
...
+ mkcert -install
Warning: "sudo" is not available, and mkcert is not running as root. The (un)install operation might fail. ⚠
ERROR: failed to execute "tee": exit status 1

tee: /usr/local/share/ca-certificates/mkcert_development_CA_150415661751699325916863148199739114787.crt: Permission denied
...

The reason why it didn't work is the same as in:

• fix: set permissions for /usr/local/bin #16

We have this in the Dockerfile for ddev-webserver:

RUN chmod ugo+w /etc/ssl/certs /usr/local/share/ca-certificates

It didn't fail with usual (not hardened) webimage is because mkcert -install silently added passwordless sudo.

How This PR Solves The Issue

Copies /usr/local to a temporary directory instead, and only then copies it to the target /usr/local preserving the existing permissions.

Manual Testing Instructions

ddev add-on get https://github.com/ddev/ddev-python2/tarball/refs/pull/18/head
ddev config global --use-hardened-images=true
ddev restart
ddev exec python --version
ddev exec pip --version

Automated Testing Overview

Release/Deployment Notes