run: ignore PODMAN_USERNS with --pod

the combination --pod and --userns is already blocked. Ignore the PODMAN_USERNS variable when a pod is used, since it would cause to create a new user namespace for the container. Ideally a container should be able to do that, but its user namespace must be a child of the pod user namespace, not a sibling. Since nested user namespaces are not allowed in the OCI runtime specs, disallow this case, since the end result is just confusing for the user. Closes: https://github.com/containers/podman/issues/18580 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-08-06 11:32:07 +08:00 · 2023-05-17 13:02:34 +02:00
parent a1201843fd
commit 192ad70e98
3 changed files with 9 additions and 4 deletions
--- a/docs/source/markdown/options/userns.container.md
+++ b/docs/source/markdown/options/userns.container.md
@ -4,7 +4,7 @@
 ####> are applicable to all of those.
 #### **--userns**=*mode*

-Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
+Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable unless `--pod` is specified. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.

 This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**.