From 75906e2a3780a60ab11d2e7ff4732d908fcbfaf4 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 11 Oct 2023 17:23:30 -0400
Subject: [PATCH] install: Bail out if we detect we're running rootless

It's an easy mistake to make and the error message is less
than obvious.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 lib/src/containerenv.rs | 1 +
 lib/src/install.rs      | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/lib/src/containerenv.rs b/lib/src/containerenv.rs
index a79583a2b..4b4956fab 100644
--- a/lib/src/containerenv.rs
+++ b/lib/src/containerenv.rs
@@ -16,6 +16,7 @@ pub(crate) struct ContainerExecutionInfo {
     pub(crate) id: String,
     pub(crate) image: String,
     pub(crate) imageid: String,
+    pub(crate) rootless: Option<String>,
 }
 
 /// Load and parse the `/run/.containerenv` file.
diff --git a/lib/src/install.rs b/lib/src/install.rs
index 25363702d..3376ebe3e 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -785,6 +785,10 @@ async fn prepare_install(
 
     // This command currently *must* be run inside a privileged container.
     let container_info = crate::containerenv::get_container_execution_info(&rootfs)?;
+    if let Some("1") = container_info.rootless.as_deref() {
+        anyhow::bail!("Cannot install from rootless podman; this command must be run as root");
+    }
+
     let source = SourceInfo::from_container(&container_info)?;
 
     ensure_var()?;