[BZ #2083997] pod: build pause image in custom user NS

Use the host UID and host GID mapping when building the local pause
image for a Pod with a custom mapping.  Otherwise, the mappings are off
and the build fails. Propagating the mapping to the build container is
not needed since the pause image ships merely a copied `catatonit` from
the host.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2083997
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

pkg/specgen/generate/pause_image.go

@@ -80,6 +80,12 @@ ENTRYPOINT ["/catatonit", "-P"]`, catatonitPath)
 		Quiet:           true,
 		IgnoreFile:      "/dev/null", // makes sure to not read a local .ignorefile (see #13529)
 		IIDFile:         "/dev/null", // prevents Buildah from writing the ID on stdout
+		IDMappingOptions: &buildahDefine.IDMappingOptions{
+			// Use the host UID/GID mappings for the build to avoid issues when
+			// running with a custom mapping (BZ #2083997).
+			HostUIDMapping: true,
+			HostGIDMapping: true,
+		},
 	}
 	if _, _, err := rt.Build(context.Background(), buildOptions, tmpF.Name()); err != nil {
 		return "", err

test/system/170-run-userns.bats

@@ -36,6 +36,19 @@ function _require_crun() {
     is "$output" ".*457" "Check group leaked into container"
 }
 
+@test "rootful pod with custom ID mapping" {
+    skip_if_rootless "does not work rootless - rootful feature"
+    skip_if_remote "remote --uidmap is broken (see #14233)"
+    random_pod_name=$(random_string 30)
+    run_podman pod create --uidmap 0:200000:5000 --name=$random_pod_name
+    run_podman pod start $random_pod_name
+
+    # Remove the pod and the pause image
+    run_podman pod rm $random_pod_name
+    run_podman version --format "{{.Server.Version}}-{{.Server.Built}}"
+    run_podman rmi -f localhost/podman-pause:$output
+}
+
 @test "podman --remote --group-add keep-groups " {
     if is_remote; then
         run_podman 125 run --rm --group-add keep-groups $IMAGE id