run: ignore PODMAN_USERNS with --pod

the combination --pod and --userns is already blocked. Ignore the PODMAN_USERNS variable when a pod is used, since it would cause to create a new user namespace for the container. Ideally a container should be able to do that, but its user namespace must be a child of the pod user namespace, not a sibling. Since nested user namespaces are not allowed in the OCI runtime specs, disallow this case, since the end result is just confusing for the user. Closes: https://github.com/containers/podman/issues/18580 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-05-17 13:02:34 +02:00 · 2023-05-17 13:02:34 +02:00 · 192ad70e98
parent a1201843fd
commit 192ad70e98
3 changed files with 9 additions and 4 deletions
--- a/docs/source/markdown/options/userns.container.md
+++ b/docs/source/markdown/options/userns.container.md
@ -4,7 +4,7 @@
 ####> are applicable to all of those.
 #### **--userns**=*mode*

-Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
+Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable unless `--pod` is specified. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.

 This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**.

--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@ -220,9 +220,9 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 			return err
 		}
 	}
-	userns := os.Getenv("PODMAN_USERNS")
-	if c.UserNS != "" {
-		userns = c.UserNS
+	userns := c.UserNS
+	if userns == "" && c.Pod == "" {
+		userns = os.Getenv("PODMAN_USERNS")
 	}
 	// userns must be treated differently
 	if userns != "" {
--- a/test/e2e/run_userns_test.go
+++ b/test/e2e/run_userns_test.go
@ -395,6 +395,11 @@ var _ = Describe("Podman UserNS support", func() {
 		inspect.WaitWithDefaultTimeout()
 		Expect(inspect.OutputToString()).To(Not(Equal("<nil>")))

+		// --pod should work.
+		result = podmanTest.Podman([]string{"create", "--pod=new:new-pod", ALPINE, "true"})
+		result.WaitWithDefaultTimeout()
+		Expect(result).Should(Exit(0))
+
 		if IsRemote() {
 			podmanTest.RestartRemoteService()
 		}