add rootless support (#46)

* add rootless support when running as a non-root user, rpmoci will setup a user namespace in which to run
microsoft · Jun 5, 2024 · 7eeff4d · 7eeff4d
1 parent fddefe6
commit 7eeff4d
Show file tree

Hide file tree

Showing 9 changed files with 596 additions and 164 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,9 +26,10 @@ jobs:
     runs-on: ubuntu-22.04
     container:
       image: mcr.microsoft.com/cbl-mariner/base/core:2.0
+      options: --privileged
     steps:
       - name: Install dependencies
-        run: unset HOME; tdnf install -y build-essential git openssl-devel python3-devel sudo ca-certificates dnf moby-cli skopeo sqlite-devel
+        run: unset HOME; tdnf install -y build-essential git openssl-devel python3-devel sudo ca-certificates dnf moby-cli skopeo shadow-utils sqlite-devel
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with:
@@ -40,6 +41,15 @@ jobs:
           version: 1.1.0
       - name: Run cargo test
         run: cargo test --features test-docker
+      - name: Setup rootless user
+        run: |
+          useradd -m -s /bin/bash rootless
+          echo "rootless:100000:65536" > /etc/subgid
+          echo "rootless:100000:65536" > /etc/subuid
+      - name: Build in rootless mode
+        run: |
+          su - rootless
+          cargo run -- build -f tests/fixtures/rootless/rpmoci.toml --image rootless --tag test
 
   cargo-deny:
     runs-on: ubuntu-22.04
@@ -53,7 +63,7 @@ jobs:
       image: mcr.microsoft.com/cbl-mariner/base/core:2.0
     steps:
       - name: Install dependencies
-        run: unset HOME; tdnf install -y build-essential git openssl-devel python3-devel sudo ca-certificates dnf sqlite-devel
+        run: unset HOME; tdnf install -y build-essential git openssl-devel python3-devel sudo ca-certificates dnf sqlite-devel shadow-utils 
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with: