diff options
| author | Paul Holzinger <pholzing@redhat.com> | 2022-01-24 19:47:28 +0100 |
|---|---|---|
| committer | Paul Holzinger <pholzing@redhat.com> | 2022-01-24 19:51:59 +0100 |
| commit | dbfe79757b33231b3e5dc8537deb85fba8402eef (patch) | |
| tree | b86a955cfeb367eff2c711ddb804dfe3c1fd4d55 /pkg/api | |
| parent | 54bfabb78a09bc50f270a81756a303e49965f253 (diff) | |
| download | podman-dbfe79757b33231b3e5dc8537deb85fba8402eef.tar.gz podman-dbfe79757b33231b3e5dc8537deb85fba8402eef.tar.bz2 podman-dbfe79757b33231b3e5dc8537deb85fba8402eef.zip | |
remote build: set rootless oci isolation correctly
When we run rootless buildah needs to have IsolationOCIRootless set
otherwise it will run code which cannot be used as rootless user.
Podman should use the buildah default if possible and change it to
rootless mode if needed.
[NO NEW TESTS NEEDED] Should be covered by existing tests once we have
podman-remote rootless tests.
Fixes #12989
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'pkg/api')
| -rw-r--r-- | pkg/api/handlers/compat/images_build.go | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 707551eab..cc9667202 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -22,6 +22,7 @@ import ( api "github.com/containers/podman/v4/pkg/api/types" "github.com/containers/podman/v4/pkg/auth" "github.com/containers/podman/v4/pkg/channel" + "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/storage/pkg/archive" "github.com/docker/docker/pkg/jsonmessage" "github.com/gorilla/schema" @@ -300,7 +301,17 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { registry := query.Registry isolation := buildah.IsolationDefault if utils.IsLibpodRequest(r) { - isolation = parseLibPodIsolation(query.Isolation) + var err error + isolation, err = parseLibPodIsolation(query.Isolation) + if err != nil { + utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "failed to parse isolation")) + return + } + + // make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root. + if isolation == buildah.IsolationOCI && rootless.IsRootless() { + isolation = buildah.IsolationOCIRootless + } registry = "" format = query.OutputFormat } else { @@ -698,22 +709,11 @@ func parseNetworkConfigurationPolicy(network string) buildah.NetworkConfiguratio } } -func parseLibPodIsolation(isolation string) buildah.Isolation { // nolint +func parseLibPodIsolation(isolation string) (buildah.Isolation, error) { // nolint if val, err := strconv.Atoi(isolation); err == nil { - return buildah.Isolation(val) - } - switch isolation { - case "IsolationDefault", "default": - return buildah.IsolationDefault - case "IsolationOCI": - return buildah.IsolationOCI - case "IsolationChroot": - return buildah.IsolationChroot - case "IsolationOCIRootless": - return buildah.IsolationOCIRootless - default: - return buildah.IsolationDefault + return buildah.Isolation(val), nil } + return parse.IsolationOption(isolation) } func extractTarFile(r *http.Request) (string, error) { |