From c45d51899a8190bd3797cdee71b74b912a634c71 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@redhat.com>
Date: Thu, 12 May 2022 13:38:08 +0200
Subject: [PATCH] [BZ #2083997] pod: build pause image in custom user NS

Use the host UID and host GID mapping when building the local pause
image for a Pod with a custom mapping.  Otherwise, the mappings are off
and the build fails. Propagating the mapping to the build container is
not needed since the pause image ships merely a copied `catatonit` from
the host.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2083997
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
---
 pkg/specgen/generate/pause_image.go |  6 ++++++
 test/system/170-run-userns.bats     | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/pkg/specgen/generate/pause_image.go b/pkg/specgen/generate/pause_image.go
index 4aba230a3d..ddf35f2300 100644
--- a/pkg/specgen/generate/pause_image.go
+++ b/pkg/specgen/generate/pause_image.go
@@ -80,6 +80,12 @@ ENTRYPOINT ["/catatonit", "-P"]`, catatonitPath)
 		Quiet:           true,
 		IgnoreFile:      "/dev/null", // makes sure to not read a local .ignorefile (see #13529)
 		IIDFile:         "/dev/null", // prevents Buildah from writing the ID on stdout
+		IDMappingOptions: &buildahDefine.IDMappingOptions{
+			// Use the host UID/GID mappings for the build to avoid issues when
+			// running with a custom mapping (BZ #2083997).
+			HostUIDMapping: true,
+			HostGIDMapping: true,
+		},
 	}
 	if _, _, err := rt.Build(context.Background(), buildOptions, tmpF.Name()); err != nil {
 		return "", err
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index d754306b2a..b803519020 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -36,6 +36,19 @@ function _require_crun() {
     is "$output" ".*457" "Check group leaked into container"
 }
 
+@test "rootful pod with custom ID mapping" {
+    skip_if_rootless "does not work rootless - rootful feature"
+    skip_if_remote "remote --uidmap is broken (see #14233)"
+    random_pod_name=$(random_string 30)
+    run_podman pod create --uidmap 0:200000:5000 --name=$random_pod_name
+    run_podman pod start $random_pod_name
+
+    # Remove the pod and the pause image
+    run_podman pod rm $random_pod_name
+    run_podman version --format "{{.Server.Version}}-{{.Server.Built}}"
+    run_podman rmi -f localhost/podman-pause:$output
+}
+
 @test "podman --remote --group-add keep-groups " {
     if is_remote; then
         run_podman 125 run --rm --group-add keep-groups $IMAGE id