rootless: do not override /dev/pts if not needed

when running in rootless mode we were unconditionally overriding
/dev/pts to take ride of gid=5.  This is not needed when multiple gids
are present in the namespace, which is always the case except when
running the tests suite with only one mapping.  So change it to check
how many gids are present before overriding the default mount.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

pkg/spec/spec.go

@@ -9,6 +9,7 @@ import (
 	"github.com/containers/storage/pkg/mount"
 	"github.com/docker/docker/daemon/caps"
 	"github.com/docker/go-units"
+	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
@@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M
 	return configMount
 }
 
+func getAvailableGids() (int64, error) {
+	idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
+	if err != nil {
+		return 0, err
+	}
+	count := int64(0)
+	for _, r := range idMap {
+		count += r.Count
+	}
+	return count, nil
+}
+
 // CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec
 func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 	cgroupPerm := "ro"
@@ -91,6 +104,12 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		g.AddMount(sysMnt)
 	}
 	if isRootless {
+		nGids, err := getAvailableGids()
+		if err != nil {
+			return nil, err
+		}
+		if nGids < 5 {
+			// If we have no GID mappings, the gid=5 default option would fail, so drop it.
 			g.RemoveMount("/dev/pts")
 			devPts := spec.Mount{
 				Destination: "/dev/pts",
@@ -100,6 +119,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 			}
 			g.AddMount(devPts)
 		}
+	}
 	if inUserNS && config.IpcMode.IsHost() {
 		g.RemoveMount("/dev/mqueue")
 		devMqueue := spec.Mount{