podman: allow to specify the userns to join

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1145
Approved by: rhatdan

cmd/podman/create.go

@@ -374,7 +374,7 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
 	}
 
 	usernsMode := container.UsernsMode(c.String("userns"))
-	if !usernsMode.Valid() {
+	if !cc.IsNS(string(usernsMode)) && !usernsMode.Valid() {
 		return nil, errors.Errorf("--userns %q is not valid", c.String("userns"))
 	}
 

docs/podman-create.1.md

@@ -582,6 +582,7 @@ Without this argument the command will be run as root in the container.
 Set the usernamespace mode for the container. The use of userns is disabled by default.
 
     **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
+    **ns**: specify the usernamespace to use.
 
 **--uts**=*host*
 

docs/podman-run.1.md

@@ -612,6 +612,7 @@ Without this argument the command will be run as root in the container.
 Set the usernamespace mode for the container. The use of userns is disabled by default.
 
 `host`: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
+`ns`: specify the usernamespace to use.
 
 **--uts**=*host*
 

pkg/spec/spec.go

@@ -326,6 +326,14 @@ func addPidNS(config *CreateConfig, g *generate.Generator) error {
 }
 
 func addUserNS(config *CreateConfig, g *generate.Generator) error {
+	if IsNS(string(config.UsernsMode)) {
+		g.AddOrReplaceLinuxNamespace(spec.UserNamespace, NS(string(config.UsernsMode)))
+
+		// runc complains if no mapping is specified, even if we join another ns.  So provide a dummy mapping
+		g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
+		g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
+	}
+
 	if (len(config.IDMappings.UIDMap) > 0 || len(config.IDMappings.GIDMap) > 0) && !config.UsernsMode.IsHost() {
 		g.AddOrReplaceLinuxNamespace(spec.UserNamespace, "")
 	}