From 2f149509c2fee497ac3d02aaa12e920b8e18cecb Mon Sep 17 00:00:00 2001
From: Florian Bezdeka <florian.bezdeka@siemens.com>
Date: Wed, 8 Jun 2022 14:44:17 +0200
Subject: [PATCH] kas-container: Add support for podman >= 4.1

Starting with podman 4.1 the --userns=keep-id flag is no longer ignored
for privileged containers leading to an error when trying to start up
such a container (in our case: for ISAR builds):

  Error: keep-id is only supported in rootless mode

To address that we have to move the --userns=keep-id part to a non-ISAR
specific path.

Reported-by: Wadim Klincov <wadim@klincov.com>
Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas-container | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/kas-container b/kas-container
index cfa87c8..9654c9f 100755
--- a/kas-container
+++ b/kas-container
@@ -102,6 +102,14 @@ enable_isar_mode() {
 	fi
 }
 
+enable_oe_mode() {
+	if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then
+		# The container entry point expects that the current userid
+		# calling "podman run" has a 1:1 mapping
+		KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --userns=keep-id"
+	fi
+}
+
 run_clean() {
 	if [ -n "${KAS_ISAR_ARGS}" ]; then
 		set_container_image_var
@@ -163,7 +171,7 @@ docker)
 	;;
 podman)
 	KAS_CONTAINER_COMMAND="podman"
-	KAS_RUNTIME_ARGS="--userns=keep-id --security-opt label=disable"
+	KAS_RUNTIME_ARGS="--security-opt label=disable"
 	;;
 *)
 	echo "$0: unknown container engine '${KAS_CONTAINER_ENGINE}'" >&2
@@ -359,6 +367,8 @@ fi
 
 if [ "${BUILD_SYSTEM}" = "isar" ]; then
 	enable_isar_mode
+else
+	enable_oe_mode
 fi
 
 set_container_image_var