diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 24c4295c4c..145e5f4d41 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -110,10 +110,6 @@ Valid options for `[Container]` are listed below: | PodmanArgs=--add-host foobar | --add-host foobar | | PublishPort=true | --publish | | ReadOnly=true | --read-only | -| RemapGid=0:20000:400 | --gidmap 0:20000:400 | -| RemapUid=0:100000:2000 | --uidmap 0:100000:2000 | -| RemapUidSize=6000 | --userns auto:6000 | -| RemapUsers=auto | --userns auto | | RunInit=true | --init | | SeccompProfile=/tmp/s.json | --security-opt seccomp=/tmp/s.json | | SecurityLabelDisable=true | --security-opt label=disable | @@ -123,6 +119,7 @@ Valid options for `[Container]` are listed below: | Timezone=local | --tz local | | Tmpfs=/work | --tmpfs /work | | User=bin | --user bin | +| UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 | | VolatileTmp=true | --tmpfs /tmp | | Volume=/source:/dest | --volume /source:/dest | @@ -206,7 +203,7 @@ This key can be listed multiple times. ### `Group=` The (numeric) gid to run as inside the container. This does not need to match the gid on the host, -which can be modified with `RemapUsers`, but if that is not specified, this gid is also used on the host. +which can be modified with `UsersNS`, but if that is not specified, this gid is also used on the host. ### `HealthCmd=` @@ -384,42 +381,6 @@ If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless **NOTE:** Podman will automatically copy any content from the image onto the tmpfs -### `RemapGid=` - -`RemapGid` key to force a particular host uid to be mapped to the container. - -In `keep-id` mode, the value should be a single GID and should appear only once. -If no value is set, the running user is mapped to the same id in the container. -This is supported only on user systemd units. - -If `RemapUsers` is enabled, this specifies a gid mapping of the form `container_gid:from_gid:amount`, -which will map `amount` number of gids on the host starting at `from_gid` into the container, starting -at `container_gid`. - -### `RemapUid=` - -If `RemapUsers` is enabled, this specifies a uid mapping. -If `RemapUsers` is set to `keep-id` the value should be a single UID and should appear only once. -Otherwise, the value takes the form `container_uid:from_uid:amount`, -which will map `amount` number of uids on the host starting at `from_uid` into the container, starting -at `container_uid`. - -### `RemapUidSize=` - -If `RemapUsers` is enabled and set to `auto`, this specifies the count of the ids to remap - -### `RemapUsers=` - -If this is set, then host user and group ids are remapped in the container. It currently -supports values: `auto`, `manual` and `keep-id`. - -In `manual` mode, the `RemapUid` and `RemapGid` options can define an -exact mapping of uids from host to container. You must specify these. - -In `auto` mode mode, the subuids and subgids allocated to the `containers` user is used to allocate -host uids/gids to use for the container. By default this will try to estimate a count of the ids -to remap, but `RemapUidSize` can be specified to use an explicit size. Use `RemapUid` and - ### `RunInit=` (default to `no`) If enabled, the container will have a minimal init process inside the @@ -465,7 +426,12 @@ The timezone to run the container in. ### `User=` The (numeric) uid to run as inside the container. This does not need to match the uid on the host, -which can be modified with `RemapUsers`, but if that is not specified, this uid is also used on the host. +which can be modified with `UserNS`, but if that is not specified, this uid is also used on the host. + +### `UserNS=` + +Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and +generally has the form `MODE[:OPTIONS,...]`. ### `VolatileTmp=` (default to `no`, or `yes` if `ReadOnly` enabled) @@ -505,10 +471,7 @@ Valid options for `[Kube]` are listed below: | LogDriver=journald | --log-driver journald | | Network=host | --net host | | PublishPort=59-60 | --publish=59-60 | -| RemapGid=0:20000:400 | --gidmap 0:20000:400 | -| RemapUid=0:100000:2000 | --uidmap 0:100000:2000 | -| RemapUidSize=6000 | --userns auto:6000 | -| RemapUsers=auto | --userns auto | +| UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 | | Yaml=/tmp/kube.yaml | podman kube play /tmp/kube.yaml | Supported keys in the `[Kube]` section are: @@ -558,40 +521,10 @@ entry from the unit file will take precedence This key can be listed multiple times. -### `RemapGid=` +### `UserNS=` -If `RemapUsers` is enabled, this specifies a gid mapping. -If `RemapUsers` is set to `keep-id` the value should be a single GID and should appear only once. -Otherwise, the value takes the form `container_gid:from_gid:amount`, -which will map `amount` number of gids on the host starting at `from_gid` into the container, starting -at `container_gid`. - -### `RemapUid=` - -If `RemapUsers` is enabled, this specifies a uid mapping. -If `RemapUsers` is set to `keep-id` the value should be a single UID and should appear only once. -Otherwise, the value takes the form `container_uid:from_uid:amount`, -which will map `amount` number of uids on the host starting at `from_uid` into the container, starting -at `container_uid`. - -### `RemapUidSize=` - -If `RemapUsers` is enabled and set to `auto`, this specifies the count of the ids to remap. - -### `RemapUsers=` - -If this is set, then host user and group ids are remapped in the container. It currently -supports values: `auto`, and `keep-id`. - -In `auto` mode mode, the subuids and subgids allocated to the `containers` user is used to allocate -host uids/gids to use for the container. By default this will try to estimate a count of the ids -to remap, but `RemapUidSize` can be specified to use an explicit size. Use `RemapUid` and -`RemapGid` key to force a particular host uid to be mapped to the container. - -In `keep-id` mode, if `RemapUid` or `RemapGid` are set the running user is mapped -to the corresponding ids in the container. -Otherwise, the user is mapped to the user's host machine ids in the container. -This is supported only on user systemd units. +Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and +generally has the form `MODE[:OPTIONS,...]`. ### `Yaml=` diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index a8efd011ea..9da2c33be1 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -97,6 +97,7 @@ const ( KeyTmpfs = "Tmpfs" KeyType = "Type" KeyUser = "User" + KeyUserNS = "UserNS" KeyVolatileTmp = "VolatileTmp" KeyVolume = "Volume" KeyYaml = "Yaml" @@ -156,6 +157,7 @@ var ( KeyTmpfs: true, KeyTimezone: true, KeyUser: true, + KeyUserNS: true, KeyVolatileTmp: true, KeyVolume: true, } @@ -195,6 +197,7 @@ var ( KeyRemapUID: true, KeyRemapUIDSize: true, KeyRemapUsers: true, + KeyUserNS: true, KeyYaml: true, } ) @@ -476,6 +479,8 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile return nil, err } + handleUserNS(container, ContainerGroup, podman) + tmpfsValues := container.LookupAll(ContainerGroup, KeyTmpfs) for _, tmpfs := range tmpfsValues { if strings.Count(tmpfs, ":") > 1 { @@ -877,6 +882,8 @@ func ConvertKube(kube *parser.UnitFile, isUser bool) (*parser.UnitFile, error) { return nil, err } + handleUserNS(kube, KubeGroup, execStart) + addNetworks(kube, KubeGroup, service, execStart) configMaps := kube.LookupAllStrv(KubeGroup, KeyConfigMap) @@ -904,6 +911,11 @@ func ConvertKube(kube *parser.UnitFile, isUser bool) (*parser.UnitFile, error) { } func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error { + // ignore Remap keys if UserNS is set + if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 { + return nil + } + uidMaps := unitFile.LookupAllStrv(groupName, KeyRemapUID) gidMaps := unitFile.LookupAllStrv(groupName, KeyRemapGID) remapUsers, _ := unitFile.LookupLast(groupName, KeyRemapUsers) @@ -968,6 +980,12 @@ func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *Podman return nil } +func handleUserNS(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) { + if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 { + podman.add("--userns", userns) + } +} + func addNetworks(quadletUnitFile *parser.UnitFile, groupName string, serviceUnitFile *parser.UnitFile, podman *PodmanCmdline) { networks := quadletUnitFile.LookupAll(groupName, KeyNetwork) for _, network := range networks { diff --git a/test/system/252-quadlet.bats b/test/system/252-quadlet.bats index f7889a0c72..eaa22d0ed3 100644 --- a/test/system/252-quadlet.bats +++ b/test/system/252-quadlet.bats @@ -607,4 +607,22 @@ EOF service_cleanup $QUADLET_SERVICE_NAME failed } +@test "quadlet - userns" { + local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container + cat > $quadlet_file <