Merge pull request #27413 from 0xDVC/fix-26848-userns-pod-validation

Fix user namespace validation for containers in pods
2025-11-28 09:09:44 +08:00 · 2025-11-26 15:37:00 +00:00
parent 046206fe53 417430c451
commit ffe01749e2
5 changed files with 39 additions and 11 deletions
--- a/test/e2e/create_test.go
+++ b/test/e2e/create_test.go
@@ -678,12 +678,14 @@ var _ = Describe("Podman create", func() {
 		create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mode when joining pod with infra container"))
+
+		podmanTest.PodmanExitCleanly("pod", "rm", "-f", "testing123")

 		create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mode when joining pod with infra container"))
 	})

 	It("podman create --chrootdirs inspection test", func() {
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -803,7 +803,7 @@ ENTRYPOINT ["sleep","99999"]
 		// fail if --pod and --userns set together
 		session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitWithError(125, "--userns and --pod cannot be set together"))
+		Expect(session).Should(ExitWithError(125, "cannot set user namespace mode when joining pod with infra container"))
 	})

 	It("podman pod create with --userns=keep-id can add users", func() {
--- a/test/system/620-option-conflicts.bats
+++ b/test/system/620-option-conflicts.bats
@@ -14,7 +14,6 @@ load helpers
 create,run        | --cpu-period=1 | --cpus=2               | $IMAGE
 create,run        | --cpu-quota=1  | --cpus=2               | $IMAGE
 create,run        | --no-hosts     | --add-host=foo:1.1.1.1 | $IMAGE
-create,run        | --userns=bar   | --pod=foo              | $IMAGE
 container cleanup | --all          | --exec=foo
 container cleanup | --exec=foo     | --rmi                  | foo
 "
@@ -48,6 +47,14 @@ container cleanup | --exec=foo     | --rmi                  | foo
               "podman $cmd --platform + --$opt"
        done
    done
+
+    # --userns and --pod have a different error message format
+    podname=p-$(safename)
+    run_podman pod create --name $podname
+    run_podman 125 run --uidmap=0:1000:1000 --pod=$podname $IMAGE true
+    is "$output" "Error: cannot set user namespace mode when joining pod with infra container: invalid argument" \
+       "podman run --uidmap + --pod"
+    run_podman pod rm -f $podname
 }