pods: do not to join a userns if there is not any

do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-17 06:57:43 +08:00 · 2019-07-25 14:55:05 +02:00
parent 7c9095ea1d
commit ba5741e398
2 changed files with 32 additions and 5 deletions
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@ -282,13 +282,26 @@ func configurePod(c *GenericCLIResults, runtime *libpod.Runtime, namespaces map[
 	if err != nil {
 		return namespaces, err
 	}
+	hasUserns := false
+	if podInfraID != "" {
+		podCtr, err := runtime.GetContainer(podInfraID)
+		if err != nil {
+			return namespaces, err
+		}
+		mappings, err := podCtr.IDMappings()
+		if err != nil {
+			return namespaces, err
+		}
+		hasUserns = len(mappings.UIDMap) > 0
+	}
+
 	if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
 		namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
 	}
 	if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
 		namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
 	}
-	if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
+	if hasUserns && (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
 		namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
 	}
 	if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@ -492,15 +492,29 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
 	if err != nil {
 		return nil, err
 	}
+	hasUserns := false
+	if podInfraID != "" {
+		podCtr, err := r.GetContainer(podInfraID)
+		if err != nil {
+			return nil, err
+		}
+		mappings, err := podCtr.IDMappings()
+		if err != nil {
+			return nil, err
+		}
+		hasUserns = len(mappings.UIDMap) > 0
+	}

 	namespaces := map[string]string{
 		// Disabled during code review per mheon
 		//"pid":  fmt.Sprintf("container:%s", podInfraID),
 		"net": fmt.Sprintf("container:%s", podInfraID),
-		"user": fmt.Sprintf("container:%s", podInfraID),
 		"ipc": fmt.Sprintf("container:%s", podInfraID),
 		"uts": fmt.Sprintf("container:%s", podInfraID),
 	}
+	if hasUserns {
+		namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
+	}
 	if !c.Quiet {
 		writer = os.Stderr
 	}