Fix running container from docker client with rootful in rootless podman.

This effectively fix errors like "unable to upgrade to tcp, received 409" like #19930 in the special case where podman itself is running rootful but inside a container which itself is rootless. [NO NEW TESTS NEEDED] Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
2025-10-19 04:03:23 +08:00 · 2024-02-02 18:50:15 +00:00
parent fbb4d5dca6
commit f59a5f1351
1 changed files with 9 additions and 7 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -45,6 +45,7 @@ import (
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/unshare"
 	stypes "github.com/containers/storage/types"
 	securejoin "github.com/cyphar/filepath-securejoin"
 	runcuser "github.com/moby/sys/user"
@ -632,14 +633,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 	nofileSet := false
 	nprocSet := false
 	isRootless := rootless.IsRootless()
-	if isRootless {
+	isRunningInUserNs := unshare.IsRootless()
-		if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
+	if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
-			var err error
+		var err error
-			*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
+		*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
-			if err != nil {
+		if err != nil {
-				return nil, nil, err
+			return nil, nil, err
 			}
 		}
 	}
 	if isRootless {
 		for _, rlimit := range c.config.Spec.Process.Rlimits {
 			if rlimit.Type == "RLIMIT_NOFILE" {
 				nofileSet = true