Skip to content

Commit

Permalink
build.sh: allow the builder user to run rootless podman
Browse files Browse the repository at this point in the history
We do *some* podman operations inside the COSA container. If running
locally as the `builder` user podman will barf when trying to run
newuidmap if we don't change up the subuid/subgid mappings.

With this change we'll be able to test in our local rootless podman
COSA container that `cosa push-container-manifest` works.

In order to figure out this worked (at least for what limited podman
manifest commands I'm running) I first followed the issue at [1]
and realized I had success with the `quay.io/podman/stable` image
and then looked inside the image to see what the mapping was.
I then lifted the mapping from there [2] and applied it here and
it works.

Note that inside the pipeline right now (in OpenShift) we still run
as a random user but that seems to still be working OK for us for
pushing the manifest because it can't find the random UID/GID in
/etc/{subuid,subgid} so it falls back to "rootless single mapping
into the namespace".

[1] containers/podman#4056 (comment)
[2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
  • Loading branch information
dustymabe committed Sep 13, 2022
1 parent 6347728 commit a68f72f
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,13 @@ configure_user(){
echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel-nopasswd
# Contents of /etc/sudoers.d need not to be world writable
chmod 600 /etc/sudoers.d/wheel-nopasswd

# Allow the builder user to run rootless podman
# Referenced at: https://github.com/containers/podman/issues/4056#issuecomment-1245715492
# Lifted from: https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subuid
echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subgid

}

write_archive_info() {
Expand Down

0 comments on commit a68f72f

Please sign in to comment.