From 192ad70e984b5a237a49dc505dac466ebd4f5ebe Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 17 May 2023 13:02:34 +0200 Subject: [PATCH] run: ignore PODMAN_USERNS with --pod the combination --pod and --userns is already blocked. Ignore the PODMAN_USERNS variable when a pod is used, since it would cause to create a new user namespace for the container. Ideally a container should be able to do that, but its user namespace must be a child of the pod user namespace, not a sibling. Since nested user namespaces are not allowed in the OCI runtime specs, disallow this case, since the end result is just confusing for the user. Closes: https://github.com/containers/podman/issues/18580 Signed-off-by: Giuseppe Scrivano --- docs/source/markdown/options/userns.container.md | 2 +- pkg/specgenutil/specgen.go | 6 +++--- test/e2e/run_userns_test.go | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/source/markdown/options/userns.container.md b/docs/source/markdown/options/userns.container.md index 7c0c68f657..6c24f0aa69 100644 --- a/docs/source/markdown/options/userns.container.md +++ b/docs/source/markdown/options/userns.container.md @@ -4,7 +4,7 @@ ####> are applicable to all of those. #### **--userns**=*mode* -Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options. +Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable unless `--pod` is specified. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options. This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**. diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 903232e448..16c1b30810 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -220,9 +220,9 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) return err } } - userns := os.Getenv("PODMAN_USERNS") - if c.UserNS != "" { - userns = c.UserNS + userns := c.UserNS + if userns == "" && c.Pod == "" { + userns = os.Getenv("PODMAN_USERNS") } // userns must be treated differently if userns != "" { diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go index 4f4aa80b92..3d744ae5d1 100644 --- a/test/e2e/run_userns_test.go +++ b/test/e2e/run_userns_test.go @@ -395,6 +395,11 @@ var _ = Describe("Podman UserNS support", func() { inspect.WaitWithDefaultTimeout() Expect(inspect.OutputToString()).To(Not(Equal(""))) + // --pod should work. + result = podmanTest.Podman([]string{"create", "--pod=new:new-pod", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + if IsRemote() { podmanTest.RestartRemoteService() }