From 38adce6ea9455709830ea158a6e5deb663843768 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Mon, 27 Jun 2022 19:16:02 +0200
Subject: [PATCH] fix: Improve rootless podman config

---
 Dockerfile | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 903a5c7..704eff8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@ ARG BASE="4.11.2-4-alpine-jdk17-preview"
 
 FROM jenkins/inbound-agent:${BASE}
 
+ARG USER=jenkins
+
 USER root
 RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
     && apk upgrade -U --available --no-cache \
@@ -9,38 +11,40 @@ RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/reposit
     tini \
     make \
     yq \
+    strace \
     fuse-overlayfs \
     podman \
     buildah \
     aws-cli \
     trivy
 
-# Podman tweaks
-ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
-
 # Trivy html template
 ADD --chown=jenkins:jenkins html.tpl /home/jenkins
 
 # Rootless podman
-ADD --chown=jenkins:jenkins conf/podman-containers.conf /home/jenkins/.config/containers/containers.conf
+RUN mkdir -p /home/$USER/.local/share/containers && \
+    chown $USER:$USER -R /home/$USER
 
-RUN mkdir -p /tmp/podman-run-1000 /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
+ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
+ADD --chown=$USER:$USER conf/podman-containers.conf /home/$USER/.config/containers/containers.conf
+
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
              /var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \
     touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \
           /var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock && \
-    chown jenkins:jenkins /tmp/podman-run-1000 && chmod 700 /tmp/podman-run-1000
+    mkdir /tmp/podman-run-1000 && chown $USER:$USER /tmp/podman-run-1000 && chmod 700 /tmp/podman-run-1000 && \
+    echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subuid && \
+    echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subgid
+    #setcap cap_setuid=ep /usr/bin/newuidmap && \
+    #setcap cap_setgid=ep /usr/bin/newgidmap && \
+RUN mkdir /workspace && \
+    cd /usr/bin && ln -s podman docker
 
 # Patch jenkins-agent to launch podman service
 RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n        exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
 
-# Make docker in Jenkinsfiles work
-RUN ln -s /usr/bin/podman /usr/bin/docker
-
-# Rootless podman
-RUN echo jenkins:100000:65536 > /etc/subuid \
- && echo jenkins:100000:65536 > /etc/subgid
-
 ENV XDG_RUNTIME_DIR=/tmp/podman-run-1000
+ENV _CONTAINERS_USERNS_CONFIGURED=""
 ENV BUILDAH_ISOLATION=chroot
 ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"