hashicorp · lgfa29 · Mar 20, 2023 · Feb 3, 2023 · Feb 7, 2023 · Mar 14, 2023
@@ -4,6 +4,7 @@ IMPROVEMENTS:
 
 * config: Add `extra_labels` option [[GH-215](https://github.com/hashicorp/nomad-driver-podman/pull/215)]
 * config: Allow setting `pids_limit` option. [[GH-203](https://github.com/hashicorp/nomad-driver-podman/pull/203)]
+* config: Allow setting `userns` option. [[GH-212](https://github.com/hashicorp/nomad-driver-podman/pull/212)]
 * runtime: Set mount propagation from TaskConfig [[GH-204](https://github.com/hashicorp/nomad-driver-podman/pull/204)]
 
 BUG FIXES:

@@ -482,6 +482,13 @@ config {
   }
 ```
 
+* **userns** - (Optional) Set the [user namespace mode](https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode) for the container.
+```hcl
+config {
+  userns = "keep-id:uid=200,gid=210"
+}
+```
+
 * **pids_limit** - (Optional) An integer value that specifies the pid limit for the container.
 ```hcl
 config {

@@ -246,6 +246,12 @@ type ContainerSecurityConfig struct {
 	// If unset, the container will be run as root.
 	// Optional.
 	User string `json:"user,omitempty"`
+	// UserNS is the container's user namespace.
+	// It defaults to host, indicating that no user namespace will be
+	// created.
+	// If set to private, IDMappings must be set.
+	// Mandatory.
+	UserNS Namespace `json:"userns,omitempty"`
 	// Groups are a list of supplemental groups the container's user will
 	// be granted access to.
 	// Optional.
@@ -292,12 +298,6 @@ type ContainerSecurityConfig struct {
 	// privileges flag on create, which disables gaining additional
 	// privileges (e.g. via setuid) in the container.
 	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`
-	// UserNS is the container's user namespace.
-	// It defaults to host, indicating that no user namespace will be
-	// created.
-	// If set to private, IDMappings must be set.
-	// Mandatory.
-	// UserNS Namespace `json:"userns,omitempty"`
 
 	// IDMappings are UID and GID mappings that will be used by user
 	// namespaces.

@@ -91,6 +91,7 @@ var (
 		"volumes":            hclspec.NewAttr("volumes", "list(string)", false),
 		"force_pull":         hclspec.NewAttr("force_pull", "bool", false),
 		"readonly_rootfs":    hclspec.NewAttr("readonly_rootfs", "bool", false),
+		"userns":             hclspec.NewAttr("userns", "string", false),
 	})
 )
 
@@ -164,4 +165,5 @@ type TaskConfig struct {
 	ForcePull         bool               `codec:"force_pull"`
 	Privileged        bool               `codec:"privileged"`
 	ReadOnlyRootfs    bool               `codec:"readonly_rootfs"`
+	UserNS            string             `codec:"userns"`
 }
@@ -566,6 +566,18 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	createOpts.ContainerSecurityConfig.ReadOnlyFilesystem = driverConfig.ReadOnlyRootfs
 	createOpts.ContainerSecurityConfig.ApparmorProfile = driverConfig.ApparmorProfile
 
+	// Populate --userns mode only if configured
+	if driverConfig.UserNS != "" {
+		userns := strings.SplitN(driverConfig.UserNS, ":", 2)
+		mode := api.NamespaceMode(userns[0])
+		// Populate value only if specified
+		if len(userns) > 1 {
+			createOpts.ContainerSecurityConfig.UserNS = api.Namespace{NSMode: mode, Value: userns[1]}
+		} else {
+			createOpts.ContainerSecurityConfig.UserNS = api.Namespace{NSMode: mode}
+		}
+	}
+
 	// Network config options
 	if cfg.DNS != nil {
 		for _, strdns := range cfg.DNS.Servers {

@@ -1566,6 +1566,30 @@ func TestPodmanDriver_ReadOnlyFilesystem(t *testing.T) {
 	require.True(t, inspectData.HostConfig.ReadonlyRootfs)
 }
 
+// check userns mode configuration (single value)
+func TestPodmanDriver_UsernsMode(t *testing.T) {
+	// TODO: run test once CI can use rootless Podman.
+	t.Skip("Test suite requires rootful Podman")
+
+	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
+	taskCfg.UserNS = "host"
+	inspectData := startDestroyInspect(t, taskCfg, "userns")
+
+	require.Equal(t, "host", inspectData.HostConfig.UsernsMode)
+}
+
+// check userns mode configuration (parsed value)
+func TestPodmanDriver_UsernsModeParsed(t *testing.T) {
+	// TODO: run test once CI can use rootless Podman.
+	t.Skip("Test suite requires rootful Podman")
+
+	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
+	taskCfg.UserNS = "keep-id:uid=200,gid=210"
+	inspectData := startDestroyInspect(t, taskCfg, "userns")
+
+	require.Equal(t, "keep-id:uid=200,gid=210", inspectData.HostConfig.UsernsMode)
+}
+
 // check dns server configuration
 func TestPodmanDriver_Dns(t *testing.T) {
 	if !tu.IsCI() {