run: ignore PODMAN_USERNS with --pod

the combination --pod and --userns is already blocked. Ignore the PODMAN_USERNS variable when a pod is used, since it would cause to create a new user namespace for the container. Ideally a container should be able to do that, but its user namespace must be a child of the pod user namespace, not a sibling. Since nested user namespaces are not allowed in the OCI runtime specs, disallow this case, since the end result is just confusing for the user. Closes: containers#18580 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe · May 17, 2023 · 192ad70 · 192ad70
1 parent a120184
commit 192ad70
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/docs/source/markdown/options/userns.container.md b/docs/source/markdown/options/userns.container.md
@@ -4,7 +4,7 @@
 ####> are applicable to all of those.
 #### **--userns**=*mode*
 
-Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
+Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable unless `--pod` is specified. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
 
 This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**.
 

diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
@@ -220,9 +220,9 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 			return err
 		}
 	}
-	userns := os.Getenv("PODMAN_USERNS")
-	if c.UserNS != "" {
-		userns = c.UserNS
+	userns := c.UserNS
+	if userns == "" && c.Pod == "" {
+		userns = os.Getenv("PODMAN_USERNS")
 	}
 	// userns must be treated differently
 	if userns != "" {

diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go
@@ -395,6 +395,11 @@ var _ = Describe("Podman UserNS support", func() {
 		inspect.WaitWithDefaultTimeout()
 		Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))
 
+		// --pod should work.
+		result = podmanTest.Podman([]string{"create", "--pod=new:new-pod", ALPINE, "true"})
+		result.WaitWithDefaultTimeout()
+		Expect(result).Should(Exit(0))
+
 		if IsRemote() {
 			podmanTest.RestartRemoteService()
 		}