fix remote build isolation when server runs as root
I am really not sure why the caller even should have the option to set this. We should always use the correct isolation type based on the privileges the server runs under never the client. podman-remote build seems to send the default based on its local privs which was wrong as well. To fix this I also changed the client to send the default if the isolation flag is not set. Fixes #22109 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
parent
8241cd0e59
commit
493179be45
|
|
@ -400,9 +400,14 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *Buil
|
||||||
compression = buildahDefine.Uncompressed
|
compression = buildahDefine.Uncompressed
|
||||||
}
|
}
|
||||||
|
|
||||||
isolation, err := parse.IsolationOption(flags.Isolation)
|
isolation := buildahDefine.IsolationDefault
|
||||||
if err != nil {
|
// Only parse the isolation when it is actually needed as we do not want to send a wrong default
|
||||||
return nil, err
|
// to the server in the remote case (root vs rootless).
|
||||||
|
if flags.Isolation != "" {
|
||||||
|
isolation, err = parse.IsolationOption(flags.Isolation)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
usernsOption, idmappingOptions, err := parse.IDMappingOptions(c, isolation)
|
usernsOption, idmappingOptions, err := parse.IDMappingOptions(c, isolation)
|
||||||
|
|
|
||||||
|
|
@ -383,10 +383,19 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root.
|
// Make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root.
|
||||||
if isolation == buildah.IsolationOCI && rootless.IsRootless() {
|
// Same the other way around: https://github.com/containers/podman/issues/22109
|
||||||
isolation = buildah.IsolationOCIRootless
|
switch isolation {
|
||||||
|
case buildah.IsolationOCI:
|
||||||
|
if rootless.IsRootless() {
|
||||||
|
isolation = buildah.IsolationOCIRootless
|
||||||
|
}
|
||||||
|
case buildah.IsolationOCIRootless:
|
||||||
|
if !rootless.IsRootless() {
|
||||||
|
isolation = buildah.IsolationOCI
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
registry = ""
|
registry = ""
|
||||||
format = query.OutputFormat
|
format = query.OutputFormat
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -54,6 +54,16 @@ var _ = Describe("run basic podman commands", func() {
|
||||||
Expect(runAlp).To(Exit(0))
|
Expect(runAlp).To(Exit(0))
|
||||||
Expect(runAlp.outputToString()).To(ContainSubstring("Alpine Linux"))
|
Expect(runAlp.outputToString()).To(ContainSubstring("Alpine Linux"))
|
||||||
|
|
||||||
|
contextDir := GinkgoT().TempDir()
|
||||||
|
cfile := filepath.Join(contextDir, "Containerfile")
|
||||||
|
err = os.WriteFile(cfile, []byte("FROM quay.io/libpod/alpine_nginx\nRUN ip addr\n"), 0o644)
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
|
||||||
|
build, err := mb.setCmd(bm.withPodmanCommand([]string{"build", contextDir})).run()
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
Expect(build).To(Exit(0))
|
||||||
|
Expect(build.outputToString()).To(ContainSubstring("COMMIT"))
|
||||||
|
|
||||||
rmCon, err := mb.setCmd(bm.withPodmanCommand([]string{"rm", "-a"})).run()
|
rmCon, err := mb.setCmd(bm.withPodmanCommand([]string{"rm", "-a"})).run()
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
Expect(rmCon).To(Exit(0))
|
Expect(rmCon).To(Exit(0))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue