specgen: honor userns=auto from containers.conf

when using the default userns value, make sure its value is parsed so that userns=auto is parsed and the options for the storage are filled. Closes: containers#12615 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe · Dec 16, 2021 · dfab5bc · dfab5bc
1 parent 424108d
commit dfab5bc
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
@@ -9,6 +9,7 @@ import (
 	cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
 	"github.com/containers/common/libimage"
 	"github.com/containers/podman/v3/libpod"
+	"github.com/containers/podman/v3/pkg/namespaces"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -96,6 +97,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 			return nil, nil, nil, err
 		}
 		s.UserNS = defaultNS
+
+		mappings, err := util.ParseIDMapping(namespaces.UsernsMode(s.UserNS.NSMode), nil, nil, "", "")
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		s.IDMappings = mappings
 	}
 	if s.NetNS.IsDefault() {
 		defaultNS, err := GetDefaultNamespaceMode("net", rtc, pod)

diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
@@ -52,3 +52,25 @@ function _require_crun() {
     run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
     is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
 }
+
+@test "podman userns=auto in config file" {
+    skip_if_remote "userns=auto is set on the server"
+
+    if is_rootless; then
+        if ! grep -q ^$(id -un) /etc/subuid; then
+           echo "there are no IDs allocated for the current user"
+        fi
+    else
+        if ! grep -q ^containers /etc/subuid; then
+           echo "there are no IDs allocated for the user 'containers'"
+        fi
+    fi
+
+    cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
+[containers]
+userns="auto"
+EOF
+    # check that it is running in a user namespace by verifying 4294967295 (the maximum number of IDs) is not present
+    # in the mappings file.
+    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 1 run --rm $IMAGE grep -v 4294967295 /proc/self/uid_map
+}