From ce4afa2e63c2719954a5039b950f2c0d460a0377 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Mon, 24 Jan 2022 19:47:28 +0100
Subject: [PATCH] remote build: set rootless oci isolation correctly

When we run rootless buildah needs to have IsolationOCIRootless set
otherwise it will run code which cannot be used as rootless user.
Podman should use the buildah default if possible and change it to
rootless mode if needed.

[NO NEW TESTS NEEDED] Should be covered by existing tests once we have
podman-remote rootless tests.

Fixes #12989

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 cmd/podman/images/build.go              |  6 -----
 pkg/api/handlers/compat/images_build.go | 30 ++++++++++++-------------
 2 files changed, 15 insertions(+), 21 deletions(-)

diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go
index f975cd6d59..cde050d5e8 100644
--- a/cmd/podman/images/build.go
+++ b/cmd/podman/images/build.go
@@ -183,12 +183,6 @@ func buildFlags(cmd *cobra.Command) {
 	completion.CompleteCommandFlags(cmd, fromAndBudFlagsCompletions)
 	flags.SetNormalizeFunc(buildahCLI.AliasFlags)
 	if registry.IsRemote() {
-		flag = flags.Lookup("isolation")
-		buildOpts.Isolation = buildahDefine.OCI
-		if err := flag.Value.Set(buildahDefine.OCI); err != nil {
-			logrus.Errorf("Unable to set --isolation to %v: %v", buildahDefine.OCI, err)
-		}
-		flag.DefValue = buildahDefine.OCI
 		_ = flags.MarkHidden("disable-content-trust")
 		_ = flags.MarkHidden("cache-from")
 		_ = flags.MarkHidden("sign-by")
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 707551eabc..cc96672023 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -22,6 +22,7 @@ import (
 	api "github.com/containers/podman/v4/pkg/api/types"
 	"github.com/containers/podman/v4/pkg/auth"
 	"github.com/containers/podman/v4/pkg/channel"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/docker/docker/pkg/jsonmessage"
 	"github.com/gorilla/schema"
@@ -300,7 +301,17 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 	registry := query.Registry
 	isolation := buildah.IsolationDefault
 	if utils.IsLibpodRequest(r) {
-		isolation = parseLibPodIsolation(query.Isolation)
+		var err error
+		isolation, err = parseLibPodIsolation(query.Isolation)
+		if err != nil {
+			utils.Error(w, http.StatusInternalServerError, errors.Wrap(err, "failed to parse isolation"))
+			return
+		}
+
+		// make sure to force rootless as rootless otherwise buildah runs code which is intended to be run only as root.
+		if isolation == buildah.IsolationOCI && rootless.IsRootless() {
+			isolation = buildah.IsolationOCIRootless
+		}
 		registry = ""
 		format = query.OutputFormat
 	} else {
@@ -698,22 +709,11 @@ func parseNetworkConfigurationPolicy(network string) buildah.NetworkConfiguratio
 	}
 }
 
-func parseLibPodIsolation(isolation string) buildah.Isolation { // nolint
+func parseLibPodIsolation(isolation string) (buildah.Isolation, error) { // nolint
 	if val, err := strconv.Atoi(isolation); err == nil {
-		return buildah.Isolation(val)
-	}
-	switch isolation {
-	case "IsolationDefault", "default":
-		return buildah.IsolationDefault
-	case "IsolationOCI":
-		return buildah.IsolationOCI
-	case "IsolationChroot":
-		return buildah.IsolationChroot
-	case "IsolationOCIRootless":
-		return buildah.IsolationOCIRootless
-	default:
-		return buildah.IsolationDefault
+		return buildah.Isolation(val), nil
 	}
+	return parse.IsolationOption(isolation)
 }
 
 func extractTarFile(r *http.Request) (string, error) {