opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prohibit --uid/gid map and --pod for container create/run

Browse Source 
add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map
if entering or creating a pod that has an infra container

resolves #12669

Signed-off-by: cdoern <cdoern@redhat.com>
This commit is contained in:
cdoern
2022-01-13 10:43:24 -05:00
parent e98058a3cf
commit 6996830104
4 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/source/markdown/podman-create.1.md
View File

@ -365,6 +365,8 @@ GID map for the user namespace. Using this flag will run the container with user
The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000`
Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
#### **--group-add**=*group|keep-groups*
Add additional groups to assign to primary user running within the container process.
@ -1166,6 +1168,7 @@ Even if a user does not have any subordinate UIDs in _/etc/subuid_,
**--uidmap** could still be used to map the normal UID of the user to a
container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`.
Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
#### **--ulimit**=*option*