specgen: honor userns=auto from containers.conf

when using the default userns value, make sure its value is parsed so that userns=auto is parsed and the options for the storage are filled. Closes: https://github.com/containers/podman/issues/12615 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2024-10-20 17:23:30 +00:00 · 2021-12-16 12:02:36 +01:00 · 2021-12-16 12:02:36 +01:00 · 89ee302a9f
parent 46a094a7a2
commit 89ee302a9f
2 changed files with 33 additions and 0 deletions
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@ -9,6 +9,7 @@ import (
 	cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
 	"github.com/containers/common/libimage"
 	"github.com/containers/podman/v3/libpod"
+	"github.com/containers/podman/v3/pkg/namespaces"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@ -96,6 +97,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 			return nil, nil, nil, err
 		}
 		s.UserNS = defaultNS
+
+		mappings, err := util.ParseIDMapping(namespaces.UsernsMode(s.UserNS.NSMode), nil, nil, "", "")
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		s.IDMappings = mappings
 	}
 	if s.NetNS.IsDefault() {
 		defaultNS, err := GetDefaultNamespaceMode("net", rtc, pod)
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@ -52,3 +52,29 @@ function _require_crun() {
    run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
    is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
 }
+
+@test "podman userns=auto in config file" {
+    skip_if_remote "userns=auto is set on the server"
+
+    if is_rootless; then
+        egrep -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
+    else
+        egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
+    fi
+
+    cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
+[containers]
+userns="auto"
+EOF
+    # First make sure a user namespace is created
+    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman run -d $IMAGE sleep infinity
+    cid=$output
+
+    run_podman inspect --format '{{.HostConfig.UsernsMode}}' $cid
+    is "$output" "private" "Check that a user namespace was created for the container"
+
+    run_podman rm -t 0 -f $cid
+
+    # Then check that the main user is not mapped into the user namespace
+    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
+}