only try to enable loopback in hermetic mode

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -355,6 +355,7 @@ spec:
         if [ "${HERMETIC}" == "true" ]; then
           BUILDAH_ARGS+=("--pull=never")
           UNSHARE_ARGS+=("--net")
+
           for image in $BASE_IMAGES; do
             unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
           done
@@ -467,7 +468,13 @@ spec:
             -f "$dockerfile_path" -t "$IMAGE" .
         )
         buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
-        command="ip link set lo up && $buildah_cmd"
+
+        if [ "${HERMETIC}" == "true" ]; then
+          # enabling loopback adapter enables Bazel builds to work in hermetic mode.
+          command="ip link set lo up && $buildah_cmd"
+        else
+          command="$buildah_cmd"
+        fi
 
         unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 

task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml

@@ -389,6 +389,7 @@ spec:
       if [ "${HERMETIC}" == "true" ]; then
         BUILDAH_ARGS+=("--pull=never")
         UNSHARE_ARGS+=("--net")
+
         for image in $BASE_IMAGES; do
           unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
         done
@@ -501,7 +502,13 @@ spec:
           -f "$dockerfile_path" -t "$IMAGE" .
       )
       buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
-      command="ip link set lo up && $buildah_cmd"
+
+      if [ "${HERMETIC}" == "true" ]; then
+        # enabling loopback adapter enables Bazel builds to work in hermetic mode.
+        command="ip link set lo up && $buildah_cmd"
+      else
+        command="$buildah_cmd"
+      fi
 
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 

task/buildah-remote/0.2/buildah-remote.yaml

@@ -365,6 +365,7 @@ spec:
       if [ "${HERMETIC}" == "true" ]; then
         BUILDAH_ARGS+=("--pull=never")
         UNSHARE_ARGS+=("--net")
+
         for image in $BASE_IMAGES; do
           unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
         done
@@ -477,7 +478,13 @@ spec:
           -f "$dockerfile_path" -t "$IMAGE" .
       )
       buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
-      command="ip link set lo up && $buildah_cmd"
+
+      if [ "${HERMETIC}" == "true" ]; then
+        # enabling loopback adapter enables Bazel builds to work in hermetic mode.
+        command="ip link set lo up && $buildah_cmd"
+      else
+        command="$buildah_cmd"
+      fi
 
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 

task/buildah/0.2/buildah.yaml

@@ -286,6 +286,7 @@ spec:
       if [ "${HERMETIC}" == "true" ]; then
         BUILDAH_ARGS+=("--pull=never")
         UNSHARE_ARGS+=("--net")
+
         for image in $BASE_IMAGES; do
           unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
         done
@@ -398,7 +399,13 @@ spec:
           -f "$dockerfile_path" -t "$IMAGE" .
       )
       buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}")
-      command="ip link set lo up && $buildah_cmd"
+
+      if [ "${HERMETIC}" == "true" ]; then
+        # enabling loopback adapter enables Bazel builds to work in hermetic mode.
+        command="ip link set lo up && $buildah_cmd"
+      else
+        command="$buildah_cmd"
+      fi
 
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"