From dbfe79757b33231b3e5dc8537deb85fba8402eef Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Mon, 24 Jan 2022 19:47:28 +0100
Subject: remote build: set rootless oci isolation correctly

When we run rootless buildah needs to have IsolationOCIRootless set
otherwise it will run code which cannot be used as rootless user.
Podman should use the buildah default if possible and change it to
rootless mode if needed.

[NO NEW TESTS NEEDED] Should be covered by existing tests once we have
podman-remote rootless tests.

Fixes #12989

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 cmd/podman/images/build.go              |  6 ------
 pkg/api/handlers/compat/images_build.go | 30 +++++++++++++++---------------
 2 files changed, 15 insertions(+), 21 deletions(-)

diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go
index f975cd6d5..cde050d5e 100644
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@@ -183,12 +183,6 @@ func buildFlags(cmd *cobra.Command) {
 	completion.CompleteCommandFlags(cmd, fromAndBudFlagsCompletions)
 	flags.SetNormalizeFunc(buildahCLI.AliasFlags)
 	if registry.IsRemote() {
-		flag = flags.Lookup("isolation")
-		buildOpts.Isolation = buildahDefine.OCI
-		if err := flag.Value.Set(buildahDefine.OCI); err != nil {
-			logrus.Errorf("Unable to set --isolation to %v: %v", buildahDefine.OCI, err)
-		}
-		flag.DefValue = buildahDefine.OCI
 		_ = flags.MarkHidden("disable-content-trust")
 		_ = flags.MarkHidden("cache-from")
 		_ = flags.MarkHidden("sign-by")
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 707551eab..cc9667202 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -22,6 +22,7 @@ import (
 	api "github.com/containers/podman/v4/pkg/api/types"
 	"github.com/containers/podman/v4/pkg/auth"
 	"github.com/containers/podman/v4/pkg/channel"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/gorilla/schema"
@@ -300,7 +301,17 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 	registry := query.Registry
 	isolation := buildah.IsolationDefault
 	if utils.IsLibpodRequest(r) {
-		isolation = parseLibPodIsolation(query.Isolation)
+		var err error
+		isolation, err = parseLibPodIsolation(query.Isolation)
+		if err != nil {
+			utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "failed to parse isolation"))
+			return
+		}
+
+		// make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root.
+		if isolation == buildah.IsolationOCI && rootless.IsRootless() {
+			isolation = buildah.IsolationOCIRootless
+		}
 		registry = ""
 		format = query.OutputFormat
 	} else {
@@ -698,22 +709,11 @@ func parseNetworkConfigurationPolicy(network string) buildah.NetworkConfiguratio
 	}
 }
 
-func parseLibPodIsolation(isolation string) buildah.Isolation { // nolint
+func parseLibPodIsolation(isolation string) (buildah.Isolation, error) { // nolint
 	if val, err := strconv.Atoi(isolation); err == nil {
-		return buildah.Isolation(val)
-	}
-	switch isolation {
-	case "IsolationDefault", "default":
-		return buildah.IsolationDefault
-	case "IsolationOCI":
-		return buildah.IsolationOCI
-	case "IsolationChroot":
-		return buildah.IsolationChroot
-	case "IsolationOCIRootless":
-		return buildah.IsolationOCIRootless
-	default:
-		return buildah.IsolationDefault
+		return buildah.Isolation(val), nil
 	}
+	return parse.IsolationOption(isolation)
 }
 
 func extractTarFile(r *http.Request) (string, error) {
-- 
cgit v1.2.3-54-g00ecf