remote build: set rootless oci isolation correctly

When we run rootless buildah needs to have IsolationOCIRootless set
otherwise it will run code which cannot be used as rootless user.
Podman should use the buildah default if possible and change it to
rootless mode if needed.

[NO NEW TESTS NEEDED] Should be covered by existing tests once we have
podman-remote rootless tests.

Fixes #12989

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

2 files changed, 15 insertions, 21 deletions

diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go
index f975cd6d5..cde050d5e 100644
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@@ -183,12 +183,6 @@ func buildFlags(cmd *cobra.Command) {
 	completion.CompleteCommandFlags(cmd, fromAndBudFlagsCompletions)
 	flags.SetNormalizeFunc(buildahCLI.AliasFlags)
 	if registry.IsRemote() {
-		flag = flags.Lookup("isolation")
-		buildOpts.Isolation = buildahDefine.OCI
-		if err := flag.Value.Set(buildahDefine.OCI); err != nil {
-			logrus.Errorf("Unable to set --isolation to %v: %v", buildahDefine.OCI, err)
-		}
-		flag.DefValue = buildahDefine.OCI
 		_ = flags.MarkHidden("disable-content-trust")
 		_ = flags.MarkHidden("cache-from")
 		_ = flags.MarkHidden("sign-by")
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 707551eab..cc9667202 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -22,6 +22,7 @@ import (
 	api "github.com/containers/podman/v4/pkg/api/types"
 	"github.com/containers/podman/v4/pkg/auth"
 	"github.com/containers/podman/v4/pkg/channel"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/gorilla/schema"
@@ -300,7 +301,17 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 	registry := query.Registry
 	isolation := buildah.IsolationDefault
 	if utils.IsLibpodRequest(r) {
-		isolation = parseLibPodIsolation(query.Isolation)
+		var err error
+		isolation, err = parseLibPodIsolation(query.Isolation)
+		if err != nil {
+			utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "failed to parse isolation"))
+			return
+		}
+
+		// make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root.
+		if isolation == buildah.IsolationOCI && rootless.IsRootless() {
+			isolation = buildah.IsolationOCIRootless
+		}
 		registry = ""
 		format = query.OutputFormat
 	} else {
@@ -698,22 +709,11 @@ func parseNetworkConfigurationPolicy(network string) buildah.NetworkConfiguratio
 	}
 }
 
-func parseLibPodIsolation(isolation string) buildah.Isolation { // nolint
+func parseLibPodIsolation(isolation string) (buildah.Isolation, error) { // nolint
 	if val, err := strconv.Atoi(isolation); err == nil {
-		return buildah.Isolation(val)
-	}
-	switch isolation {
-	case "IsolationDefault", "default":
-		return buildah.IsolationDefault
-	case "IsolationOCI":
-		return buildah.IsolationOCI
-	case "IsolationChroot":
-		return buildah.IsolationChroot
-	case "IsolationOCIRootless":
-		return buildah.IsolationOCIRootless
-	default:
-		return buildah.IsolationDefault
+		return buildah.Isolation(val), nil
 	}
+	return parse.IsolationOption(isolation)
 }
 
 func extractTarFile(r *http.Request) (string, error) {