From 9951683ff7f67e497bfaaf55ee1060a681d4b646 Mon Sep 17 00:00:00 2001
From: Foivos Zakkak <fzakkak@redhat.com>
Date: Wed, 24 Feb 2021 02:38:28 +0200
Subject: [PATCH] Don't use --user and --userns in remote containers

Using them results in files being copied back to host to be owned by the
guest user instead of the host user.

e.g.
$ podman create --name temp --user 1000:1000 --userns=keep-id -it \
    quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11
$ podman cp temp:/opt/graalvm/bin/native-image remote-native-image
$ ls -la remote-native-image
-rwxr-xr-x. 1 100000 100000 14641161 Feb 14 03:28 remote-native-image*
$ id -u
1000

(cherry picked from commit 5d4f39d78c113a17b45b4a16973dbcf3a41ea949)
---
 .../steps/NativeImageBuildContainerRunner.java | 18 +-----------------
 .../NativeImageBuildLocalContainerRunner.java  | 13 +++++++++++++
 2 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java
index 0e282fbd4eb48..a506922338610 100644
--- a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java
+++ b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildContainerRunner.java
@@ -1,7 +1,5 @@
 package io.quarkus.deployment.pkg.steps;
 
-import static io.quarkus.deployment.pkg.steps.LinuxIDUtil.getLinuxID;
-
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
@@ -12,7 +10,6 @@
 import java.util.function.Function;
 import java.util.stream.Stream;
 
-import org.apache.commons.lang3.SystemUtils;
 import org.jboss.logging.Logger;
 
 import io.quarkus.deployment.pkg.NativeConfig;
@@ -33,23 +30,10 @@ public NativeImageBuildContainerRunner(NativeConfig nativeConfig, Path outputDir
         containerRuntime = nativeConfig.containerRuntime.orElseGet(NativeImageBuildContainerRunner::detectContainerRuntime);
         log.infof("Using %s to run the native image builder", containerRuntime.getExecutableName());
 
-        List<String> containerRuntimeArgs = new ArrayList<>();
-        Collections.addAll(containerRuntimeArgs, "--env", "LANG=C");
+        this.baseContainerRuntimeArgs = new String[] { "--env", "LANG=C" };
 
         outputPath = outputDir == null ? null : outputDir.toAbsolutePath().toString();
 
-        if (SystemUtils.IS_OS_LINUX) {
-            String uid = getLinuxID("-ur");
-            String gid = getLinuxID("-gr");
-            if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
-                Collections.addAll(containerRuntimeArgs, "--user", uid + ":" + gid);
-                if (containerRuntime == NativeConfig.ContainerRuntime.PODMAN) {
-                    // Needed to avoid AccessDeniedExceptions
-                    containerRuntimeArgs.add("--userns=keep-id");
-                }
-            }
-        }
-        this.baseContainerRuntimeArgs = containerRuntimeArgs.toArray(new String[0]);
     }
 
     @Override
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java
index 301ff34d40e2f..ec8e6ee6cb4e2 100644
--- a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java
+++ b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java
@@ -1,5 +1,7 @@
 package io.quarkus.deployment.pkg.steps;
 
+import static io.quarkus.deployment.pkg.steps.LinuxIDUtil.getLinuxID;
+
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.List;
@@ -21,7 +23,18 @@ protected List<String> getContainerRuntimeBuildArgs() {
         String volumeOutputPath = outputPath;
         if (SystemUtils.IS_OS_WINDOWS) {
             volumeOutputPath = FileUtil.translateToVolumePath(volumeOutputPath);
+        } else if (SystemUtils.IS_OS_LINUX) {
+            String uid = getLinuxID("-ur");
+            String gid = getLinuxID("-gr");
+            if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
+                Collections.addAll(containerRuntimeArgs, "--user", uid + ":" + gid);
+                if (containerRuntime == NativeConfig.ContainerRuntime.PODMAN) {
+                    // Needed to avoid AccessDeniedExceptions
+                    containerRuntimeArgs.add("--userns=keep-id");
+                }
+            }
         }
+
         Collections.addAll(containerRuntimeArgs, "--rm", "-v",
                 volumeOutputPath + ":" + NativeImageBuildStep.CONTAINER_BUILD_VOLUME_PATH + ":z");
         return containerRuntimeArgs;