--userns=keep-id,nomap are not allowed in rootful mode

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

docs/source/markdown/podman-create.1.md

@@ -1261,9 +1261,9 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat
 
 **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default).
 
-**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user.
+**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
-**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user.
+**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the container in the given existing user namespace.
 

docs/source/markdown/podman-play-kube.1.md

@@ -276,9 +276,9 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat
 
 **host**: create a new namespace for the container.
 
-**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user.
+**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
-**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user.
+**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the pod in the given existing user namespace.
 

docs/source/markdown/podman-pod-create.1.md

@@ -360,9 +360,9 @@ Valid _mode_ values are:
 
   - *host*: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default).
 
-  - *keep-id*: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user.
+  - *keep-id*: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
-  - *nomap*: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user.
+  - *nomap*: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 #### **--volume**, **-v**[=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]
 

docs/source/markdown/podman-run.1.md

@@ -1329,9 +1329,9 @@ The rootless option `--userns=keep-id` uses all the subuids and subgids of the u
 
 **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default).
 
-**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user.
+**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
-**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user.
+**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the container in the given existing user namespace.
 

test/system/170-run-userns.bats

@@ -111,7 +111,7 @@ EOF
 }
 
 @test "podman userns=nomap" {
-    skip_if_not_rootless "--userns=nomap only works in rootless mode"
+    if is_rootless; then
         ns_user=$(id -un)
         baseuid=$(egrep "${ns_user}:" /etc/subuid | cut -f2 -d:)
         test ! -z ${baseuid} ||  skip "no IDs allocated for user ${ns_user}"
@@ -122,4 +122,19 @@ EOF
         run_podman top ${cid} huser
         is "${output}" "HUSER.*${baseuid}" "Container should start with baseuid from /etc/subuid not user UID"
         run_podman rm -t 0 --force ${cid}
+    else
+        run_podman 125 run -d --userns=nomap $IMAGE sleep 100
+        is "${output}" "Error: nomap is only supported in rootless mode" "Container should fail to start since nomap is not suppored in rootful mode"
+    fi
+}
+
+@test "podman userns=keep-id" {
+    if is_rootless; then
+        user=$(id -u)
+        run_podman run --rm --userns=keep-id $IMAGE id -u
+        is "${output}" "$user" "Container should run as the current user"
+    else
+        run_podman 125 run --rm --userns=keep-id $IMAGE id -u
+        is "${output}" "Error: keep-id is only supported in rootless mode" "Container should fail to start since keep-id is not suppored in rootful mode"
+    fi
 }