Merge pull request #23679 from ruihe774/pod-userns

quadlet: support user mapping in pod unit
2025-08-06 11:32:07 +08:00 · 2024-08-22 12:33:43 +00:00
parent 0a9f49bbe0 4fbfa7de6e
commit e7905122d7
8 changed files with 85 additions and 6 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -878,6 +878,7 @@ Valid options for `[Pod]` are listed below:
 | **[Pod] options**                   | **podman container create equivalent** |
 |-------------------------------------|----------------------------------------|
 | ContainersConfModule=/etc/nvd\.conf | --module=/etc/nvd\.conf                |
+| GIDMap=0:10000:10                   | --gidmap=0:10000:10                   |
 | GlobalArgs=--log-level=debug        | --log-level=debug                      |
 | Network=host                        | --network host                         |
 | NetworkAlias=name                   | --network-alias name                   |
@ -885,6 +886,10 @@ Valid options for `[Pod]` are listed below:
 | PodName=name                        | --name=name                            |
 | PublishPort=50-59                   | --publish 50-59                        |
 | ServiceName=name                    | Name the systemd unit `name.service`   |
+| SubGIDMap=gtest                     | --subgidname=gtest                     |
+| SubUIDMap=utest                     | --subuidname=utest                     |
+| UIDMap=0:10000:10                   | --uidmap=0:10000:10                    |
+| UserNS=keep-id:uid=200,gid=210      | --userns keep-id:uid=200,gid=210       |
 | Volume=/source:/dest                | --volume /source:/dest                 |

 Supported keys in the `[Pod]` section are:
@ -895,6 +900,13 @@ Load the specified containers.conf(5) module. Equivalent to the Podman `--module

 This key can be listed multiple times.

+### `GIDMap=`
+
+Create the pod in a new user namespace using the supplied GID mapping.
+Equivalent to the Podman `--gidmap` option.
+
+This key can be listed multiple times.
+
 ### `GlobalArgs=`

 This key contains a list of arguments passed directly between `podman` and `pod`
@ -977,6 +989,28 @@ Setting this key overrides this behavior by instructing Quadlet to use the provi

 Note, the name should not include the `.service` file extension

+### `SubGIDMap=`
+
+Create the pod in a new user namespace using the map with name in the /etc/subgid file.
+Equivalent to the Podman `--subgidname` option.
+
+### `SubUIDMap=`
+
+Create the pod in a new user namespace using the map with name in the /etc/subuid file.
+Equivalent to the Podman `--subuidname` option.
+
+### `UIDMap=`
+
+Create the pod in a new user namespace using the supplied UID mapping.
+Equivalent to the Podman `--uidmap` option.
+
+This key can be listed multiple times.
+
+### `UserNS=`
+
+Set the user namespace mode for the pod. This is equivalent to the Podman `--userns` option and
+generally has the form `MODE[:OPTIONS,...]`.
+
 ### `Volume=`

 Mount a volume in the pod. This is equivalent to the Podman `--volume` option, and