Pass --userns=keep-id to podman only when in rootless mode

Fixes: quarkusio#31334 (cherry picked from commit 2bace22)
gsmet · Feb 28, 2023 · 0a081b7 · 0a081b7
1 parent 447939f
commit 0a081b7
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 11 deletions.
diff --git a/...t/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java b/...t/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildLocalContainerRunner.java
@@ -31,7 +31,8 @@ public NativeImageBuildLocalContainerRunner(NativeConfig nativeConfig, Path outp
                 String gid = getLinuxID("-gr");
                 if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
                     Collections.addAll(containerRuntimeArgs, "--user", uid + ":" + gid);
-                    if (containerRuntime == ContainerRuntimeUtil.ContainerRuntime.PODMAN) {
+                    if (containerRuntime == ContainerRuntimeUtil.ContainerRuntime.PODMAN
+                            && containerRuntime.isRootless()) {
                         // Needed to avoid AccessDeniedExceptions
                         containerRuntimeArgs.add("--userns=keep-id");
                     }

diff --git a/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/UpxCompressionBuildStep.java b/core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/UpxCompressionBuildStep.java
@@ -124,7 +124,8 @@ private boolean runUpxInContainer(NativeImageBuildItem nativeImage, NativeConfig
             String gid = getLinuxID("-gr");
             if (uid != null && gid != null && !uid.isEmpty() && !gid.isEmpty()) {
                 Collections.addAll(commandLine, "--user", uid + ":" + gid);
-                if (containerRuntime == ContainerRuntimeUtil.ContainerRuntime.PODMAN) {
+                if (containerRuntime == ContainerRuntimeUtil.ContainerRuntime.PODMAN
+                        && containerRuntime.isRootless()) {
                     // Needed to avoid AccessDeniedExceptions
                     commandLine.add("--userns=keep-id");
                 }

diff --git a/core/runtime/src/main/java/io/quarkus/runtime/util/ContainerRuntimeUtil.java b/core/runtime/src/main/java/io/quarkus/runtime/util/ContainerRuntimeUtil.java
@@ -2,6 +2,7 @@
 
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.function.Predicate;
@@ -68,16 +69,24 @@ private static boolean getRootlessStateFor(ContainerRuntime containerRuntime) {
             ProcessBuilder pb = new ProcessBuilder(containerRuntime.getExecutableName(), "info")
                     .redirectErrorStream(true);
             rootlessProcess = pb.start();
-            rootlessProcess.waitFor();
-            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(rootlessProcess.getInputStream()));
-            Predicate<String> stringPredicate;
-            // Docker includes just "rootless" under SecurityOptions, while podman includes "rootless: <boolean>"
-            if (containerRuntime == ContainerRuntime.DOCKER) {
-                stringPredicate = line -> line.trim().equals("rootless");
-            } else {
-                stringPredicate = line -> line.trim().equals("rootless: true");
+            int exitCode = rootlessProcess.waitFor();
+            if (exitCode != 0) {
+                log.warnf("Command \"%s\" exited with error code %d. " +
+                        "Rootless container runtime detection might not be reliable.",
+                        containerRuntime.getExecutableName(), exitCode);
+            }
+            try (InputStream inputStream = rootlessProcess.getInputStream();
+                    InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
+                    BufferedReader bufferedReader = new BufferedReader(inputStreamReader)) {
+                Predicate<String> stringPredicate;
+                // Docker includes just "rootless" under SecurityOptions, while podman includes "rootless: <boolean>"
+                if (containerRuntime == ContainerRuntime.DOCKER) {
+                    stringPredicate = line -> line.trim().equals("rootless");
+                } else {
+                    stringPredicate = line -> line.trim().equals("rootless: true");
+                }
+                return bufferedReader.lines().anyMatch(stringPredicate);
             }
-            return bufferedReader.lines().anyMatch(stringPredicate);
         } catch (IOException | InterruptedException e) {
             // If an exception is thrown in the process, assume we are not running rootless (default docker installation)
             log.debugf(e, "Failure to read info output from %s", containerRuntime.getExecutableName());