From f230214db120793d68d95c5b1892ca5d7d128e79 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <paul.holzinger@web.de>
Date: Tue, 6 Apr 2021 23:39:09 +0200
Subject: rootless cni add /usr/sbin to PATH if not present

The CNI plugins need access to iptables in $PATH. On debian /usr/sbin
is not added to $PATH for rootless users. This will break rootless
cni completely. To prevent breaking existing users add /usr/sbin to
$PATH in podman if needed.

Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
---
 libpod/networking_linux.go      | 10 ++++++++++
 test/system/500-networking.bats | 15 +++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 157c85431..3c4014c73 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -411,6 +411,16 @@ func (r *Runtime) getRootlessCNINetNs(new bool) (*rootlessCNI, error) {
 			}
 		}
 
+		// The CNI plugins need access to iptables in $PATH. As it turns out debian doesn't put
+		// /usr/sbin in $PATH for rootless users. This will break rootless cni completely.
+		// We might break existing users and we cannot expect everyone to change their $PATH so
+		// lets add /usr/sbin to $PATH ourselves.
+		path = os.Getenv("PATH")
+		if !strings.Contains(path, "/usr/sbin") {
+			path = path + ":/usr/sbin"
+			os.Setenv("PATH", path)
+		}
+
 		rootlessCNINS = &rootlessCNI{
 			ns:   ns,
 			dir:  cniDir,
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 804dd46b1..cda054b15 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -209,4 +209,19 @@ load helpers
     run_podman rm -f $cid
 }
 
+@test "podman rootless cni adds /usr/sbin to PATH" {
+    is_rootless || skip "only meaningful for rootless"
+
+    local mynetname=testnet-$(random_string 10)
+    run_podman network create $mynetname
+
+    # Test that rootless cni adds /usr/sbin to $PATH
+    # iptables is located under /usr/sbin and is needed for the CNI plugins.
+    # Debian doesn't add /usr/sbin to $PATH for rootless users so we have to add it.
+    PATH=/usr/local/bin:/usr/bin run_podman run --rm --network $mynetname $IMAGE ip addr
+    is "$output" ".*eth0.*" "Interface eth0 not found in ip addr output"
+
+    run_podman network rm -f $mynetname
+}
+
 # vim: filetype=sh
-- 
cgit v1.2.3-54-g00ecf