Fix nested containers

fixes: #540

CHANGES/540.bugfix

@@ -0,0 +1 @@
+Fix nested containers failing to start

images/Containerfile.core.base

@@ -63,6 +63,7 @@ RUN dnf -y install python38 python38-cryptography python38-devel && \
     dnf -y install sudo && \
     dnf -y install zstd && \
     dnf -y install which && \
+    getcap /usr/bin/newuidmap  | grep cap_setuid || dnf -y reinstall -y shadow-utils && \
     dnf clean all
 
 # Needed to prevent the wrong version of cryptography from being installed,
@@ -79,11 +80,17 @@ RUN pip3 install --upgrade pip setuptools wheel && \
          requests\[use_chardet_on_py3] && \
          rm -rf /root/.cache/pip
 
-RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf
 
 RUN groupadd -g 700 --system pulp
 RUN useradd -d /var/lib/pulp --system -u 700 -g pulp pulp
-RUN usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pulp
+
+# Rootless podman inside rootless podman/docker
+# https://www.redhat.com/sysadmin/podman-inside-container
+RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf
+RUN usermod --add-subuids 10000-65535 --add-subgids 10000-65535 pulp
+VOLUME /var/lib/containers
+RUN mkdir -p /var/lib/pulp/.local/share/containers && chown -R pulp:pulp /var/lib/pulp/.local
+VOLUME /var/lib/pulp/.local/share/containers
 
 RUN mkdir -p /database \
              /etc/nginx/pulp \

images/s6_assets/pulp_tests.sh

@@ -51,6 +51,8 @@ echo "Setup deb release signing service"
 podman exec -u pulp -i pulp bash -c "cat > /var/lib/pulp/scripts/sign_deb_release.sh" < "${PWD}/tests/assets/sign_deb_release.sh"
 podman exec -u pulp pulp chmod a+rx /var/lib/pulp/scripts/sign_deb_release.sh
 podman exec -u pulp pulp bash -c "pulpcore-manager add-signing-service --class deb:AptReleaseSigningService sign_deb_release /var/lib/pulp/scripts/sign_deb_release.sh 'Pulp QE'"
+podman exec -u pulp pulp getcap /usr/bin/newuidmap
+podman exec -u pulp pulp podman run quay.io/redhattraining/hello-world-nginx
 
 echo "Run all CLI tests"
-make test
+make test

images/s6_assets/test.sh

@@ -10,6 +10,7 @@ cleanup() {
 }
 trap cleanup EXIT
 
+# "--security-opt unmask=none" needed on rhel8 but not on quay.io/podman/stable
 start_container_and_wait() {
   podman run --detach \
              --publish 8080:$port \
@@ -19,6 +20,8 @@ start_container_and_wait() {
              --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \
              --volume "$(pwd)/containers":/var/lib/containers:Z \
              --device /dev/fuse \
+             --device /dev/net/tun \
+             --security-opt unmask=none \
              -e PULP_DEFAULT_ADMIN_PASSWORD=password \
              -e PULP_HTTPS=${pulp_https} \
              "$1"