From a68f72f4c31ce563c4bdf45014de6bee111bd616 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Tue, 13 Sep 2022 13:57:52 -0400 Subject: [PATCH] build.sh: allow the builder user to run rootless podman We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] https://github.com/containers/podman/issues/4056#issuecomment-1245715492 [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 --- build.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/build.sh b/build.sh index afb7622214..5a51fc33f4 100755 --- a/build.sh +++ b/build.sh @@ -133,6 +133,13 @@ configure_user(){ echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel-nopasswd # Contents of /etc/sudoers.d need not to be world writable chmod 600 /etc/sudoers.d/wheel-nopasswd + + # Allow the builder user to run rootless podman + # Referenced at: https://github.com/containers/podman/issues/4056#issuecomment-1245715492 + # Lifted from: https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 + echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subuid + echo -e "builder:1:999\nbuilder:1001:64535" > /etc/subgid + } write_archive_info() {