podman-rootless-no-privileged in openshift

Question

I was able to run podman-rootless-no-privileged v4.2.0 in the VM,

[regular-user@localhost ~]$ podman run -u podman quay.io/podman/stable echo 'FROM busybox' > /tmp/Dockerfile && echo 'RUN echo hello' >> /tmp/Dockerfile && podman build -t test /tmp/.
STEP 1/2: FROM busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 205dae5015e7 done
Copying config 66ba00ad3d done
Writing manifest to image destination
Storing signatures
STEP 2/2: RUN echo hello
hello
COMMIT test
--> 7a12054883b
Successfully tagged localhost/test:latest
7a12054883be2c956cbb243c6930bbe60d73cd78ce8a4c551682cbb1190079ca

How do I convert this in Openshift 4.11? In Openshift its lock down to use users podman and even if you patch the uid,

oc patch ns gitlab-dev -p  '{"metadata": {"annotations": {"openshift.io/sa.scc.uid-range": "1001/10000"}}}'
oc patch ns gitlab-dev -p  '{"metadata": {"annotations": {"openshift.io/sa.scc.supplemental-groups": "1001/10000"}}}'

It still doesn't work with error can't mkdir /.local.

I can't this anywhere on the net. All solution is only docker/kubernetes but not in Openshift.

Answer 1

This work, https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md

Check my gitlab pipeline here, https://gitlab.com/publicgroup16/jvm-openshift/-/pipelines

No privileged.

Answer 2

I can't doit in pod.yaml but I was able to do it in gitlab runner where I need it, see the /ocp settings of custom-config-toml, there's no privelege there. The only problem I have right now, is the helm, it's asking for clusterrole so I might just be using oc later on.

https://gitlab.com/publicgroup16/jvm-openshift/-/pipelines