summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcdoern <cdoern@redhat.com>2022-01-13 10:43:24 -0500
committercdoern <cdoern@redhat.com>2022-01-13 14:03:51 -0500
commit6996830104afca5926daecc05d9154a0a9eb274d (patch)
tree006755309d1dfd265411390c08f1ddc9900cc76a
parente98058a3cf4f5ba4cd2d37dfdb2a0951b9aa9730 (diff)
downloadpodman-6996830104afca5926daecc05d9154a0a9eb274d.tar.gz
podman-6996830104afca5926daecc05d9154a0a9eb274d.tar.bz2
podman-6996830104afca5926daecc05d9154a0a9eb274d.zip
Prohibit --uid/gid map and --pod for container create/run
add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map if entering or creating a pod that has an infra container resolves #12669 Signed-off-by: cdoern <cdoern@redhat.com>
-rw-r--r--docs/source/markdown/podman-create.1.md3
-rw-r--r--docs/source/markdown/podman-run.1.md4
-rw-r--r--pkg/specgen/generate/namespaces.go10
-rw-r--r--test/e2e/create_test.go13
4 files changed, 28 insertions, 2 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index e3647b194..dd79a8d74 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -365,6 +365,8 @@ GID map for the user namespace. Using this flag will run the container with user
The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000`
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
#### **--group-add**=*group|keep-groups*
Add additional groups to assign to primary user running within the container process.
@@ -1166,6 +1168,7 @@ Even if a user does not have any subordinate UIDs in _/etc/subuid_,
**--uidmap** could still be used to map the normal UID of the user to a
container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`.
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
#### **--ulimit**=*option*
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index b98e563ef..80652fcdf 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -407,6 +407,8 @@ Meaning **groupname** is initially mapped to gid **100000** which is referenced
above: The group **groupname** is mapped to group **100000** of the initial namespace then the
**30000**st id of this namespace (which is gid 130000 in this namespace) is mapped to container namespace group id **0**. (groupname -> 100000 / 30000 -> 0)
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
#### **--group-add**=*group|keep-groups*
Add additional groups to assign to primary user running within the container process.
@@ -1241,6 +1243,8 @@ Even if a user does not have any subordinate UIDs in _/etc/subuid_,
**--uidmap** could still be used to map the normal UID of the user to a
container UID by running `podman run --uidmap $container_uid:0:1 --user $container_uid ...`.
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
+
#### **--ulimit**=*option*
Ulimit options. You can use **host** to copy the current configuration from the host.
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index a2bc37e34..9d4c47cc3 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -193,8 +193,14 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
// This wipes the UserNS settings that get set from the infra container
// when we are inheritting from the pod. So only apply this if the container
// is not being created in a pod.
- if s.IDMappings != nil && pod == nil {
- toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
+ if s.IDMappings != nil {
+ if pod == nil {
+ toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
+ } else {
+ if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
+ return nil, errors.Wrapf(define.ErrInvalidArg, "cannot specify a new uid/gid map when entering a pod with an infra container")
+ }
+ }
}
if s.User != "" {
toReturn = append(toReturn, libpod.WithUser(s.User))
diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go
index 9126303cd..a482c0068 100644
--- a/test/e2e/create_test.go
+++ b/test/e2e/create_test.go
@@ -693,4 +693,17 @@ var _ = Describe("Podman create", func() {
Expect(idata[0].Os).To(Equal(runtime.GOOS))
Expect(idata[0].Architecture).To(Equal("arm64"))
})
+
+ It("podman create --uid/gidmap --pod conflict test", func() {
+ create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE})
+ create.WaitWithDefaultTimeout()
+ Expect(create).ShouldNot(Exit(0))
+ Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+
+ create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE})
+ create.WaitWithDefaultTimeout()
+ Expect(create).ShouldNot(Exit(0))
+ Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+
+ })
})