Add support for pod inside of user namespace.

[umohnani8]

Add the --userns flag to podman pod create and keep
track of the userns setting that pod was created with
so that all containers created within the pod will inherit
that userns setting.

Specifically we need to be able to launch a pod with
--userns=keep-id

Signed-off-by: Daniel J Walsh [email protected]
Signed-off-by: Urvashi Mohnani [email protected]

[umohnani8]

@rhatdan @giuseppe PTAL
For now only keep-id and host are working. There are some issues with auto that I am looking into.

[rhatdan]

I applied this to the master branch and I am getting weird errors?

$. /bin/podman pod create --userns=keep-id --name dan1
ERRO[0000] Error freeing pod lock after failed creation: no such file or directory
Error: error adding Infra Container: please set User explicitly via WithUser() instead of in OCI spec directly: invalid argument

[umohnani8]

@rhatdan should be fixed now. I rebased before pushing it up and didn't realise the rebase broke it xD

[rhatdan]

Still looks like it does not work, and tests are not happy.

$ ./bin/podman pod create --userns=keep-id --name dan1
cb862419ce6a0b79b5876cbe32e2acad8cefb90d99ccfdd8864f828da5134f96
$ ./bin/podman run --pod dan1 fedora id
ERRO[0000] error starting some container dependencies   
ERRO[0000] "open /proc/sys/net/ipv4/ping_group_range: Permission denied: OCI permission denied" 
Error: error starting some containers: internal libpod error

[rhatdan]

Fixes: #7706

[umohnani8]

This is ready now. @rhatdan @mheon @giuseppe PTAL

[rhatdan]

Tests are not happy?

[rhatdan]

Code looks good and tests look great.

[umohnani8]

@giuseppe @rhatdan any idea why the userns tests are unhappy only on ubuntu-2010 - https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/4754045987454976/html/int-podman-ubuntu-2010-rootless-host.log.html#t--podman-pod-create-with---userns-auto--1

[rhatdan]

@vrothberg @umohnani8 Could this be a runc versus crun issue?

[vrothberg]

@vrothberg @umohnani8 Could this be a runc versus crun issue?

Probably but I had to read the code in detail. @giuseppe does the below error sound familiar to you?

podman [options] run --pod testPod0 quay.io/libpod/alpine:latest cat /proc/self/uid_map
Error: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "sysfs" to rootfs at "/sys" caused: mount through procfd: operation not permitted: OCI permission denied

[giuseppe]

how does the generated config.json file look like with the failing test?

[giuseppe]

I see it generates:

    "namespaces": [
      {
        "type": "pid"
      },
      {
        "type": "network",
        "path": "/proc/122177/ns/net"
      },
      {
        "type": "ipc",
        "path": "/proc/122177/ns/ipc"
      },
      {
        "type": "uts",
        "path": "/proc/122177/ns/uts"
      },
      {
        "type": "mount"
      },
      {
        "type": "cgroup"
      },
      {
        "type": "user"
      }
    ],

The user namespace should also have the path set to the infraContainer as for the network, ipc and uts namespaces.

[umohnani8]

Tests are finally passing now, can I please get some reviews here @rhatdan @mheon @giuseppe

[giuseppe]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, rhatdan, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe,rhatdan,umohnani8]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

/lgtm
Congratulations @umohnani8 I started working on this last November, and you finally pushed it over the finish line. Great work.
This was a very difficult problem.

[rlpowell]

Thank you so much!

As a Fedora user, how can I track when this will be available there? Without pulling down pre-release packages, I mean.

[rhatdan]

podman 3.4 or later, we missed the cut, I believe for podman 3.3.

[francoism90]

Has this been removed? I'm keep getting:

Error: --userns and --pod cannot be set together

podman version 4.4.4

[giuseppe]

Error: --userns and --pod cannot be set together

this is a different error. If you are joining an existing user namespace (with --pod), you cannot also create a new one with --userns

[francoism90]

@giuseppe Thanks for your reply and sorry for posting on the wrong PR.

If I understand correctly, and this to work, is to use idsmapping instead, right?

[giuseppe]

it depends, not sure what you'd like to get. What is the expectation you've from the command you've used?

Were you trying to create a new user namespace?

[rhatdan]

The container you are adding is going to join the pod's user namespace. We don't allow containers inside of the same pod to run with different user namespaces, because too much stuff will break in unexpected ways.

[francoism90]

@giuseppe @rhatdan I'm using podman-compose up, this uses the create command automatically it seems.

I want to access files from my host inside the container, using the same host user (id 1000).

[rhatdan]

If you are using podman-compose you should bring the issue up there.