Rootless --userns=keep-id doesn't work with --pod

[jdoss]

/kind bug

Description

I am trying to run Elasticsearch as a rootless container inside a rootless pod. I encountered #2898 where the mount point of /usr/share/elasticsearch/data for the volume is mounted as root uid/gid. This lead me to #3196 to use --userns=keep-id which works but not when you try to create the container inside a pod.

Steps to reproduce the issue:

$ podman pod create --name mycoolpod -p 9200:9200
602e395cc7a788346217ec9af342d1a8cb181c6bd011cfef8941659229843b73

$ podman run -d --userns=keep-id --volume ${PWD}:/usr/share/elasticsearch/data:Z -e "discovery.type=single-node" -p 9200:9200 --name mycoolelasticsearch --pod mycoolpod elasticsearch:7.5.2
Error: cannot setns `/proc/233708/ns/net`: Operation not permitted: OCI runtime permission denied error

$ podman rm mycoolelasticsearch
187fd65a46a9d11f547e317d838ad8ed7660ad7da5e8195d05d1a00bcd15b894
$ podman pod rm mycoolpod
602e395cc7a788346217ec9af342d1a8cb181c6bd011cfef8941659229843b73

$ podman run -d --userns=keep-id --volume ${PWD}:/usr/share/elasticsearch/data:Z -e "discovery.type=single-node" -p 9200:9200 --name mycoolelasticsearch  elasticsearch:7.5.2
e2bada08840761bcd134bd6b30804e7d9b06baaee5fe16fdd8c49061d7aa8a53

$ podman ps 
CONTAINER ID  IMAGE                                  COMMAND    CREATED         STATUS             PORTS                   NAMES
e2bada088407  docker.io/library/elasticsearch:7.5.2  eswrapper  17 seconds ago  Up 17 seconds ago  0.0.0.0:9200->9200/tcp  mycoolelasticsearch

$ curl localhost:9200
{
  "name" : "e2bada088407",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "QpjUy7vkQfqO1qw1h4r2Og",
  "version" : {
    "number" : "7.5.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "8bec50e1e0ad29dad5653712cf3bb580cd1afcdf",
    "build_date" : "2020-01-15T12:11:52.313576Z",
    "build_snapshot" : false,
    "lucene_version" : "8.3.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Describe the results you received:

Error: cannot setns /proc/233708/ns/net: Operation not permitted: OCI runtime permission denied error

Describe the results you expected:

To be able to use --userns=keep-id on pods.

Output of podman version:

Version:            1.9.1
RemoteAPI Version:  1
Go Version:         go1.14.2
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  gitCommit: ""
  goVersion: go1.14.2
  podmanVersion: 1.9.1
host:
  arch: amd64
  buildahVersion: 1.14.8
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.15-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.15, commit: 33da5ef83bf2abc7965fc37980a49d02fdb71826'
  cpus: 8
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: sts7
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.6.10-300.fc32.x86_64
  memFree: 12445704192
  memTotal: 31492403200
  ociRuntime:
    name: crun
    package: crun-0.13-2.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.13
      commit: e79e4de4ac16da0ce48777afb72c6241de870525
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.0.0-1.fc32.x86_64
    version: |-
      slirp4netns version 1.0.0
      commit: a3be729152a33e692cd28b52f664defbf2e7810a
      libslirp: 4.2.0
  swapFree: 15799939072
  swapTotal: 15799939072
  uptime: 57h 27m 37.79s (Approximately 2.38 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/jdoss/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.0.0-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.0.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /home/jdoss/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 32
  runRoot: /run/user/1000/containers
  volumePath: /home/jdoss/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.9.1-1.fc32.x86_64

[mheon]

This is a dupe of #6153 and the same reasoning applies there - we need to make user namespace configuration a per-pod setting.

Closing as a dupe.