container_run_and_extract does not work with Podman

[nyoxi]

🐞 bug report

Affected Rule

The issue is caused by the rule: container_run_and_extract when run with Podman.

Is this a regression?

I don't have prior experience and I cannot answer this.

Description

When Podman is used instead of Docker to run containers together with linux-sandbox in Bazel, the execution of container_run_and_extract command fails with errors because of read-only mounts. E.g.:

time="2023-04-27T05:31:22-04:00" level=error msg="set sticky bit on: chmod /run/user/1000/libpod: read-only file system"

When I try to workaround it by adding several --sandbox_writable_path arguments the build further fails with:

time="2023-04-27T05:57:26-04:00" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
time="2023-04-27T05:57:26-04:00" level=error msg="running `/usr/bin/newuidmap 21 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
time="2023-04-27T05:57:26-04:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"

I am running it as a non-root user if that is relevant.

🔬 Minimal Reproduction

container_run_and_extract(
    name = "test",
    commands = [
        "echo test > /test",
    ],
    extract_file = "/test",
    image = "@centos9//image",
)

🔥 Exception or Error

See the description above.

🌍 Your Environment

Operating System:

  
CentOS Stream 9
  

Output of bazel version:

  
5.4.0
  

Rules_docker version:

  
0.25.0
  

Anything else relevant?

[nyoxi]

I forgot to mention that a workaround is to use different sandboxing and with --spawn_strategy=processwrapper-sandbox it works ok. Obviously with all the security implication of it.