libpod: change mountpoint ownership c.Root when using overlay on top of external rootfs

Allow chainging ownership of mountpoint created on top external overlay
rootfs to support use-cases when custom --uidmap and --gidmap are
specified.

Signed-off-by: Aditya Rajan <arajan@redhat.com>

2 files changed, 33 insertions, 2 deletions

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 4e8074840..bfed94990 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -17,12 +17,14 @@ import (
 	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/pkg/overlay"
 	butil "github.com/containers/buildah/util"
+	"github.com/containers/common/pkg/chown"
 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/libpod/events"
 	"github.com/containers/podman/v3/pkg/cgroups"
 	"github.com/containers/podman/v3/pkg/ctime"
 	"github.com/containers/podman/v3/pkg/hooks"
 	"github.com/containers/podman/v3/pkg/hooks/exec"
+	"github.com/containers/podman/v3/pkg/lookup"
 	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/pkg/selinux"
 	"github.com/containers/podman/v3/pkg/util"
@@ -485,8 +487,12 @@ func (c *Container) setupStorage(ctx context.Context) error {
 		return errors.Wrapf(err, "error creating container storage")
 	}
 
-	c.config.IDMappings.UIDMap = containerInfo.UIDMap
-	c.config.IDMappings.GIDMap = containerInfo.GIDMap
+	// only reconfig IDMappings if layer was mounted from storage
+	// if its a external overlay do not reset IDmappings
+	if !c.config.RootfsOverlay {
+		c.config.IDMappings.UIDMap = containerInfo.UIDMap
+		c.config.IDMappings.GIDMap = containerInfo.GIDMap
+	}
 
 	processLabel, err := c.processLabel(containerInfo.ProcessLabel)
 	if err != nil {
@@ -1515,6 +1521,19 @@ func (c *Container) mountStorage() (_ string, deferredErr error) {
 		}
 
 		mountPoint = overlayMount.Source
+		execUser, err := lookup.GetUserGroupInfo(mountPoint, c.config.User, nil)
+		if err != nil {
+			return "", err
+		}
+		hostUID, hostGID, err := butil.GetHostIDs(util.IDtoolsToRuntimeSpec(c.config.IDMappings.UIDMap), util.IDtoolsToRuntimeSpec(c.config.IDMappings.GIDMap), uint32(execUser.Uid), uint32(execUser.Gid))
+		if err != nil {
+			return "", errors.Wrap(err, "unable to get host UID and host GID")
+		}
+
+		//note: this should not be recursive, if using external rootfs users should be responsible on configuring ownership.
+		if err := chown.ChangeHostPathOwnership(mountPoint, false, int(hostUID), int(hostGID)); err != nil {
+			return "", err
+		}
 	}
 
 	if mountPoint == "" {
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index f40d4a749..8502879ff 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -259,6 +259,18 @@ var _ = Describe("Podman run", func() {
 		startsession.WaitWithDefaultTimeout()
 		Expect(startsession).Should(Exit(0))
 		Expect(startsession.OutputToString()).To(Equal("hello"))
+
+		// remove container for above test overlay-foo
+		osession = podmanTest.Podman([]string{"rm", "overlay-foo"})
+		osession.WaitWithDefaultTimeout()
+		Expect(osession).Should(Exit(0))
+
+		// Test --rootfs with an external overlay with --uidmap
+		osession = podmanTest.Podman([]string{"run", "--uidmap", "0:1000:1000", "--rm", "--security-opt", "label=disable",
+			"--rootfs", rootfs + ":O", "echo", "hello"})
+		osession.WaitWithDefaultTimeout()
+		Expect(osession).Should(Exit(0))
+		Expect(osession.OutputToString()).To(Equal("hello"))
 	})
 
 	It("podman run a container with --init", func() {