Merge pull request #19434 from rhatdan/userns

Set default userns from containers.conf file
2025-06-22 01:48:54 +08:00 · 2023-08-01 12:00:57 +02:00
parent 843f663c81 39341f283c
commit 57aa4850fc
2 changed files with 61 additions and 40 deletions
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@ -193,7 +193,7 @@ func getMemoryLimits(c *entities.ContainerCreateOptions) (*specs.LinuxMemory, er
 	return memory, nil
 }

-func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) error {
+func setNamespaces(rtc *config.Config, s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) error {
 	var err error

 	if c.PID != "" {
@ -222,7 +222,11 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	}
 	userns := c.UserNS
 	if userns == "" && c.Pod == "" {
-		userns = os.Getenv("PODMAN_USERNS")
+		if ns, ok := os.LookupEnv("PODMAN_USERNS"); ok {
+			userns = ns
+		} else {
+			userns = rtc.Containers.UserNS
+		}
 	}
 	// userns must be treated differently
 	if userns != "" {
@ -234,6 +238,40 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	if c.Net != nil {
 		s.NetNS = c.Net.Network
 	}
+
+	if s.IDMappings == nil {
+		userNS := namespaces.UsernsMode(s.UserNS.NSMode)
+		tempIDMap, err := util.ParseIDMapping(namespaces.UsernsMode(userns), []string{}, []string{}, "", "")
+		if err != nil {
+			return err
+		}
+		s.IDMappings, err = util.ParseIDMapping(userNS, c.UIDMap, c.GIDMap, c.SubUIDName, c.SubGIDName)
+		if err != nil {
+			return err
+		}
+		if len(s.IDMappings.GIDMap) == 0 {
+			s.IDMappings.AutoUserNsOpts.AdditionalGIDMappings = tempIDMap.AutoUserNsOpts.AdditionalGIDMappings
+			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
+				s.IDMappings.AutoUserNs = true
+			}
+		}
+		if len(s.IDMappings.UIDMap) == 0 {
+			s.IDMappings.AutoUserNsOpts.AdditionalUIDMappings = tempIDMap.AutoUserNsOpts.AdditionalUIDMappings
+			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
+				s.IDMappings.AutoUserNs = true
+			}
+		}
+		if tempIDMap.AutoUserNsOpts.Size != 0 {
+			s.IDMappings.AutoUserNsOpts.Size = tempIDMap.AutoUserNsOpts.Size
+		}
+		// If some mappings are specified, assume a private user namespace
+		if userNS.IsDefaultValue() && (!s.IDMappings.HostUIDMapping || !s.IDMappings.HostGIDMapping) {
+			s.UserNS.NSMode = specgen.Private
+		} else {
+			s.UserNS.NSMode = specgen.NamespaceMode(userNS)
+		}
+	}
+
 	return nil
 }

@ -320,43 +358,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		s.StartupHealthConfig.Successes = int(c.StartupHCSuccesses)
 	}

-	if err := setNamespaces(s, c); err != nil {
+	if err := setNamespaces(rtc, s, c); err != nil {
 		return err
 	}

-	if s.IDMappings == nil {
-		userNS := namespaces.UsernsMode(s.UserNS.NSMode)
-		tempIDMap, err := util.ParseIDMapping(namespaces.UsernsMode(c.UserNS), []string{}, []string{}, "", "")
-		if err != nil {
-			return err
-		}
-		s.IDMappings, err = util.ParseIDMapping(userNS, c.UIDMap, c.GIDMap, c.SubUIDName, c.SubGIDName)
-		if err != nil {
-			return err
-		}
-		if len(s.IDMappings.GIDMap) == 0 {
-			s.IDMappings.AutoUserNsOpts.AdditionalGIDMappings = tempIDMap.AutoUserNsOpts.AdditionalGIDMappings
-			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
-				s.IDMappings.AutoUserNs = true
-			}
-		}
-		if len(s.IDMappings.UIDMap) == 0 {
-			s.IDMappings.AutoUserNsOpts.AdditionalUIDMappings = tempIDMap.AutoUserNsOpts.AdditionalUIDMappings
-			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
-				s.IDMappings.AutoUserNs = true
-			}
-		}
-		if tempIDMap.AutoUserNsOpts.Size != 0 {
-			s.IDMappings.AutoUserNsOpts.Size = tempIDMap.AutoUserNsOpts.Size
-		}
-		// If some mappings are specified, assume a private user namespace
-		if userNS.IsDefaultValue() && (!s.IDMappings.HostUIDMapping || !s.IDMappings.HostGIDMapping) {
-			s.UserNS.NSMode = specgen.Private
-		} else {
-			s.UserNS.NSMode = specgen.NamespaceMode(userNS)
-		}
-	}
-
 	if !s.Terminal {
 		s.Terminal = c.TTY
 	}
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@ -327,15 +327,31 @@ EOF
    mkdir $myvoldir
    touch $myvoldir/myfile

+    containersconf=${PODMAN_TMPDIR}/containers.conf
+    cat >$containersconf <<EOF
+[containers]
+userns="keep-id"
+EOF
+
    # With keep-id
    run_podman run --rm -v $myvoldir:/vol:z --userns=keep-id $IMAGE \
-               stat -c "%u:%s" /vol/myfile
-    is "$output" "$(id -u):0" "with keep-id: stat(file in container) == my uid"
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "$(id -u):$(id -g):0" "with keep-id: stat(file in container) == my uid"

    # Without
    run_podman run --rm -v $myvoldir:/vol:z $IMAGE \
-               stat -c "%u:%s" /vol/myfile
-    is "$output" "0:0" "w/o keep-id: stat(file in container) == root"
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "0:0:0" "w/o keep-id: stat(file in container) == root"
+
+    # With keep-id from containers.conf
+    CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm -v $myvoldir:/vol:z $IMAGE \
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "$(id -u):$(id -g):0" "with keep-id from containers.conf: stat(file in container) == my uid"
+
+    # With keep-id from containers.conf overriden with --userns=nomap
+    CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm -v $myvoldir:/vol:z --userns=nomap $IMAGE \
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "65534:65534:0" "w/o overridden containers.conf keep-id->nomap: stat(file in container) == root"
 }