From 430911d5c28b949653d1594a4e229a530d67ad4d Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Tue, 29 Aug 2023 15:07:27 -0400 Subject: [PATCH] Fix buildah/skopeo (for pulp_container) when pulp is run inside of a container based on RHEL8.8's podman 4.4 or later. fixes: #540 --- CHANGES/540.bugfix | 1 + images/Containerfile.core.base | 11 +++++++++-- images/s6_assets/pulp_tests.sh | 5 ++++- images/s6_assets/test.sh | 5 +++++ 4 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 CHANGES/540.bugfix diff --git a/CHANGES/540.bugfix b/CHANGES/540.bugfix new file mode 100644 index 00000000..5159c084 --- /dev/null +++ b/CHANGES/540.bugfix @@ -0,0 +1 @@ +Fix buildah/skopeo (for pulp_container) when pulp is run inside of a container based on RHEL8.8's podman 4.4 or later. diff --git a/images/Containerfile.core.base b/images/Containerfile.core.base index 14967f3e..4c0c7a42 100644 --- a/images/Containerfile.core.base +++ b/images/Containerfile.core.base @@ -63,6 +63,7 @@ RUN dnf -y install python38 python38-cryptography python38-devel && \ dnf -y install sudo && \ dnf -y install zstd && \ dnf -y install which && \ + getcap /usr/bin/newuidmap | grep cap_setuid || dnf -y reinstall -y shadow-utils && \ dnf clean all # Needed to prevent the wrong version of cryptography from being installed, @@ -79,11 +80,17 @@ RUN pip3 install --upgrade pip setuptools wheel && \ requests\[use_chardet_on_py3] && \ rm -rf /root/.cache/pip -RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf RUN groupadd -g 700 --system pulp RUN useradd -d /var/lib/pulp --system -u 700 -g pulp pulp -RUN usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pulp + +# Rootless podman inside rootless podman/docker +# https://www.redhat.com/sysadmin/podman-inside-container +RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf +RUN usermod --add-subuids 10000-65535 --add-subgids 10000-65535 pulp +VOLUME /var/lib/containers +RUN mkdir -p /var/lib/pulp/.local/share/containers && chown -R pulp:pulp /var/lib/pulp/.local +VOLUME /var/lib/pulp/.local/share/containers RUN mkdir -p /database \ /etc/nginx/pulp \ diff --git a/images/s6_assets/pulp_tests.sh b/images/s6_assets/pulp_tests.sh index e6d7bd73..5975c8cb 100755 --- a/images/s6_assets/pulp_tests.sh +++ b/images/s6_assets/pulp_tests.sh @@ -52,5 +52,8 @@ podman exec -u pulp -i pulp bash -c "cat > /var/lib/pulp/scripts/sign_deb_releas podman exec -u pulp pulp chmod a+rx /var/lib/pulp/scripts/sign_deb_release.sh podman exec -u pulp pulp bash -c "pulpcore-manager add-signing-service --class deb:AptReleaseSigningService sign_deb_release /var/lib/pulp/scripts/sign_deb_release.sh 'Pulp QE'" +# Test buildah for pulp_container's usage +podman exec -u pulp pulp podman build https://github.com/openshift-examples/web.git + echo "Run all CLI tests" -make test \ No newline at end of file +make test diff --git a/images/s6_assets/test.sh b/images/s6_assets/test.sh index c9f96cd2..eeaa1d79 100755 --- a/images/s6_assets/test.sh +++ b/images/s6_assets/test.sh @@ -10,6 +10,11 @@ cleanup() { } trap cleanup EXIT +# "--security-opt unmask=none" needed on rhel8 for `podman run`, but we only +# ever need to run buildah & skopeo (pulp_container does) +# "--device /dev/net/tun" needed for `podman run`, but we only ever need to run +# buildah & skopeo (pulp_container does) + start_container_and_wait() { podman run --detach \ --publish 8080:$port \