From c3a85cbd0a7af5c713b359f5447b724b026bc336 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Tue, 13 Sep 2022 13:57:52 -0400
Subject: [PATCH] build.sh: allow the builder user to run rootless podman

We do *some* podman operations inside the COSA container. If running
locally as the `builder` user podman will barf when trying to run
newuidmap if we don't change up the subuid/subgid mappings.

With this change we'll be able to test in our local rootless podman
COSA container that `cosa push-container-manifest` works.

In order to figure out this worked (at least for what limited podman
manifest commands I'm running) I first followed the issue at [1]
and realized I had success with the `quay.io/podman/stable` image
and then looked inside the image to see what the mapping was.
I then lifted the mapping from there [2] and applied it here and
it works.

Note that inside the pipeline right now (in OpenShift) we still run
as a random user but that seems to still be working OK for us for
pushing the manifest because it can't find the random UID/GID in
/etc/{subuid,subgid} so it falls back to "rootless single mapping
into the namespace".

[1] https://github.com/containers/podman/issues/4056#issuecomment-1245715492
[2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26

(cherry picked from commit 5ffbf12d229854a79c0b1e53ce2bc4ffdeda5c88)
(cherry picked from commit a76d27d8620f69bbbc91e34b241f6fb077166257)
---
 build.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/build.sh b/build.sh
index f376160160..3cda7787c1 100755
--- a/build.sh
+++ b/build.sh
@@ -122,6 +122,13 @@ configure_user(){
     echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel-nopasswd
     # Contents of /etc/sudoers.d need not to be world writable
     chmod 600 /etc/sudoers.d/wheel-nopasswd
+
+    # Allow the builder user to run rootless podman
+    # Referenced at: https://github.com/containers/podman/issues/4056#issuecomment-1245715492
+    # Lifted from: https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
+    echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subuid
+    echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subgid
+
 }
 
 write_archive_info() {