run,build: conflict --isolation=chroot and --network

Conflict --isolation=chroot and --network, since internally --chroot
will always configure network ns equivalent to host.

Closes: https://github.com/containers/buildah/issues/4255

Signed-off-by: Aditya R <arajan@redhat.com>

cmd/buildah/run.go

@@ -12,6 +12,7 @@ import (
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage/pkg/lockfile"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -127,6 +128,15 @@ func runCmd(c *cobra.Command, args []string, iopts runInputOptions) error {
 	if err != nil {
 		return err
 	}
+	if c.Flag("network").Changed && c.Flag("isolation").Changed {
+		if isolation == buildah.IsolationChroot {
+			if ns := namespaceOptions.Find(string(specs.NetworkNamespace)); ns != nil {
+				if !ns.Host {
+					return fmt.Errorf("cannot set --network other than host with --isolation %s", c.Flag("isolation").Value.String())
+				}
+			}
+		}
+	}
 
 	options := buildah.RunOptions{
 		Hostname:         iopts.hostname,

pkg/cli/build.go

@@ -21,6 +21,7 @@ import (
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -343,6 +344,16 @@ func GenBuildOptions(c *cobra.Command, inputArgs []string, iopts BuildOptions) (
 	// Following log line is used in integration test.
 	logrus.Debugf("Setting MaxPullPushRetries to %d and PullPushRetryDelay to %v", iopts.Retry, pullPushRetryDelay)
 
+	if c.Flag("network").Changed && c.Flag("isolation").Changed {
+		if isolation == define.IsolationChroot {
+			if ns := namespaceOptions.Find(string(specs.NetworkNamespace)); ns != nil {
+				if !ns.Host {
+					return options, nil, nil, fmt.Errorf("cannot set --network other than host with --isolation %s", c.Flag("isolation").Value.String())
+				}
+			}
+		}
+	}
+
 	options = define.BuildOptions{
 		AddCapabilities:         iopts.CapAdd,
 		AdditionalBuildContexts: additionalBuildContext,

tests/bud.bats

@@ -25,6 +25,17 @@ load helpers
   expect_output --substring "options use-vc"
 }
 
+@test "build-conflicting-isolation-chroot-and-network" {
+  _prefetch alpine
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine
+RUN ping -c 1 4.2.2.2
+_EOF
+
+  run_buildah 125 build --network=none --isolation=chroot $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "cannot set --network other than host with --isolation chroot"
+}
+
 @test "bud with .dockerignore #1" {
   _prefetch alpine busybox
   run_buildah 125 build -t testbud $WITH_POLICY_JSON -f $BUDFILES/dockerignore/Dockerfile $BUDFILES/dockerignore

tests/run.bats

@@ -728,16 +728,21 @@ $output"
 
 	run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
 	cid=$output
-	run_buildah run --isolation=chroot --network=none $cid sh -c 'echo "nameserver 110.110.0.110" >> /etc/resolv.conf; cat /etc/resolv.conf'
-	expect_output "nameserver 110.110.0.110"
-	if ! is_rootless; then
-		run_buildah mount $cid
-		assert "$output" != ""
-		assert "$(< $output/etc/resolv.conf)" =~ "^nameserver 110.110.0.110" "Nameserver is set in the image resolv.conf file"
-	fi
+	run_buildah 125 run --isolation=chroot --network=none $cid sh -c 'echo "nameserver 110.110.0.110" >> /etc/resolv.conf; cat /etc/resolv.conf'
+        expect_output --substring "cannot set --network other than host with --isolation chroot"
 	run_buildah rm -a
 }
 
+@test "run --network=none and --isolation chroot must conflict" {
+	skip_if_no_runtime
+
+	run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
+	cid=$output
+	# should fail by default
+	run_buildah 125 run --isolation=chroot --network=none $cid wget google.com
+        expect_output --substring "cannot set --network other than host with --isolation chroot"
+}
+
 @test "run --network should override build --network" {
 	skip_if_no_runtime