fix logic when not creating a workdir

When resolving the workdir of a container, we may need to create unless
the user set it explicitly on the command line.  Otherwise, we just do a
presence check.  Unfortunately, there was a missing return that lead us
to fall through into attempting to create and chown the workdir.  That
caused a regression when running on a read-only root fs.

Fixes: #9230
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

2 files changed, 14 insertions, 0 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 6c9489a08..ba85a1f47 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -213,6 +213,7 @@ func (c *Container) resolveWorkDir() error {
 			// we need to return the full error.
 			return errors.Wrapf(err, "error detecting workdir %q on container %s", workdir, c.ID())
 		}
+		return nil
 	}
 
 	// Ensure container entrypoint is created (if required).
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index dcf1da370..98e34238e 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -608,6 +608,19 @@ json-file | f
     # a subdir of a volume.
     run_podman run --rm --workdir /IamNotOntheImage -v $testdir/content:/IamNotOntheImage/foo $IMAGE cat foo
     is "$output" "$randomcontent" "cat random content"
+
+    # Make sure that running on a read-only rootfs works (#9230).
+    if ! is_rootless && ! is_remote; then
+        # image mount is hard to test as a rootless user
+        # and does not work remotely
+        run_podman image mount $IMAGE
+        romount="$output"
+
+        run_podman run --rm --rootfs $romount echo "Hello world"
+        is "$output" "Hello world"
+
+        run_podman image unmount $IMAGE
+    fi
 }
 
 # vim: filetype=sh