From 2bf7feee4740df9a2ec41d8bd21dd04f7a0ff5f8 Mon Sep 17 00:00:00 2001
From: Karl Rister <krister@redhat.com>
Date: Thu, 7 May 2026 09:24:11 -0500
Subject: [PATCH 1/2] feat: replace dead exit codes with UNAVAILABLE markers

Replace 26 exit codes inherited from workshop.pl that are no longer
used in the Python implementation with sequentially numbered
UNAVAILABLE_N entries. Preserves numeric values to prevent reuse and
maintain stable exit code semantics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 workshop.py | 52 ++++++++++++++++++++++++++--------------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/workshop.py b/workshop.py
index f8d4f4f..342ff29 100755
--- a/workshop.py
+++ b/workshop.py
@@ -125,7 +125,7 @@ def setup_logging(log_level_str):
     'success': 0,
     'no_userenv': 1,
     'config_set_cmd': 2,
-    'schema_not_found': 3,
+    'UNAVAILABLE_1': 3,
     'userenv_failed_validation': 4,
     'failed_opening_userenv': 5,
     'requirement_failed_validation': 6,
@@ -141,37 +141,37 @@ def setup_logging(log_level_str):
     'unsupported_package_manager': 16,
     'update_failed': 17,
     'update_cleanup': 18,
-    'container_mount': 19,
-    'virtual_fs_mount': 20,
-    'resolve.conf_backup': 21,
-    'resolv.conf_update': 22,
+    'UNAVAILABLE_2': 19,
+    'UNAVAILABLE_3': 20,
+    'UNAVAILABLE_4': 21,
+    'UNAVAILABLE_5': 22,
     'package_install': 23,
     'group_install': 24,
     'build_failed': 25,
-    'chdir_failed': 26,
+    'UNAVAILABLE_6': 26,
     'unpack_failed': 27,
     'unpack_dir_not_found': 28,
     'download_failed': 29,
     'command_run_failed': 30,
     'install_cleanup': 31,
-    'chroot_escape_1': 32,
-    'chroot_escape_2': 33,
-    'chroot_escape_3': 34,
-    'chroot_failed': 35,
-    'directory_reference': 36,
-    'local-copy_failed': 37,
-    'copy_dst_missing': 38,
+    'UNAVAILABLE_7': 32,
+    'UNAVAILABLE_8': 33,
+    'UNAVAILABLE_9': 34,
+    'UNAVAILABLE_10': 35,
+    'UNAVAILABLE_11': 36,
+    'UNAVAILABLE_12': 37,
+    'UNAVAILABLE_13': 38,
     'config_failed_validation': 39,
-    'copy_type': 40,
-    'virtual_fs_umount': 41,
-    'resolve.conf_remove': 42,
-    'resolve.conf_restore': 43,
-    'container_umount': 44,
+    'UNAVAILABLE_14': 40,
+    'UNAVAILABLE_15': 41,
+    'UNAVAILABLE_16': 42,
+    'UNAVAILABLE_17': 43,
+    'UNAVAILABLE_18': 44,
     'image_create': 45,
     'new_container_cleanup': 46,
     'config_annotate_fail': 47,
     'get_config_version': 48,
-    'ENTRY_AVAILABLE': 49,
+    'UNAVAILABLE_19': 49,
     'failed_opening_config': 50,
     'config_set_entrypoint': 51,
     'config_set_author': 52,
@@ -179,13 +179,13 @@ def setup_logging(log_level_str):
     'config_set_env': 54,
     'config_set_port': 55,
     'config_set_label': 56,
-    'schema_invalid_json': 57,
+    'UNAVAILABLE_20': 57,
     'userenv_invalid_json': 58,
     'requirement_invalid_json': 59,
     'config_invalid_json': 60,
-    'userenv_not_found': 61,
-    'requirement_not_found': 62,
-    'config_not_found': 63,
+    'UNAVAILABLE_21': 61,
+    'UNAVAILABLE_22': 62,
+    'UNAVAILABLE_23': 63,
     'requirement_missing': 64,
     'config_missing': 65,
     'cpanm_install_failed': 70,
@@ -203,9 +203,9 @@ def setup_logging(log_level_str):
     'registries_json_invalid_json': 100,
     'registries_json_missing': 101,
     'failed_opening_registries_json': 102,
-    'registries_json_unknown_loading_error': 103,
-    'userenv_unknown_loading_error': 104,
-    'config_unknown_load_error': 105,
+    'UNAVAILABLE_24': 103,
+    'UNAVAILABLE_25': 104,
+    'UNAVAILABLE_26': 105,
     'pull_token_not_found': 106,
     'set_default_user': 107,
 }

From d9ea6ff97e921a7dfcd4210294e1cf36833c9935 Mon Sep 17 00:00:00 2001
From: Karl Rister <krister@redhat.com>
Date: Thu, 7 May 2026 16:59:43 -0500
Subject: [PATCH 2/2] fix: add --security-opt label=disable to buildah from

Prevents SELinux MCS category mismatch when buildah runs inside a
podman container. Without this, the nested buildah container gets
different MCS labels than the outer container, blocking access to
/etc/resolv.conf and causing DNS resolution failures during image
builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 workshop.pl | 2 +-
 workshop.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/workshop.pl b/workshop.pl
index 27360e2..b7d5e5b 100755
--- a/workshop.pl
+++ b/workshop.pl
@@ -1903,7 +1903,7 @@ sub update_container_pkgs {
 
 # create a new container based on the userenv source
 logger('info', "Creating temporary container...\n");
-($command, $command_output, $rc) = run_command("buildah from --name $tmp_container $origin_image_id");
+($command, $command_output, $rc) = run_command("buildah from --security-opt label=disable --name $tmp_container $origin_image_id");
 if ($rc != 0) {
     logger('info', "failed\n", 1);
     command_logger('error', $command, $rc, $command_output);
diff --git a/workshop.py b/workshop.py
index 342ff29..55f90d3 100755
--- a/workshop.py
+++ b/workshop.py
@@ -1148,7 +1148,7 @@ def cleanup_stale_containers(container_name):
 def create_container(container_name, origin_image_id):
     """Create a container from the origin image."""
     log(logging.INFO, "Creating temporary container...")
-    command, command_output, rc = run_command("buildah from --name %s %s" % (container_name, origin_image_id))
+    command, command_output, rc = run_command("buildah from --security-opt label=disable --name %s %s" % (container_name, origin_image_id))
     if rc != 0:
         log(logging.INFO, "failed", 1)
         command_log(logging.ERROR, command, rc, command_output)