podman: add uid and gid options to keep-id

add two new options to the keep-id user namespace option:

- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.

For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:

$ podman run --userns=keep-id:uid=11 --rm -ti  fedora cat /proc/self/uid_map
         0          1         11
        11          0          1
        12         12      65525

Closes: https://github.com/containers/podman/issues/15294

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

3 files changed, 15 insertions, 0 deletions

diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in
index 276c545d9..045c91897 100644
--- a/docs/source/markdown/podman-create.1.md.in
+++ b/docs/source/markdown/podman-create.1.md.in
@@ -687,6 +687,11 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat
 
 **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
+  Valid `keep-id` options:
+
+  - *uid*=UID: override the UID inside the container that will be used to map the current rootless user to.
+  - *gid*=GID: override the GID inside the container that will be used to map the current rootless user to.
+
 **nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the container in the given existing user namespace.
diff --git a/docs/source/markdown/podman-kube-play.1.md.in b/docs/source/markdown/podman-kube-play.1.md.in
index f0b404057..f2b183846 100644
--- a/docs/source/markdown/podman-kube-play.1.md.in
+++ b/docs/source/markdown/podman-kube-play.1.md.in
@@ -260,6 +260,11 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat
 
 **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
+  Valid `keep-id` options:
+
+  - *uid*=UID: override the UID inside the container that will be used to map the current rootless user to.
+  - *gid*=GID: override the GID inside the container that will be used to map the current rootless user to.
+
 **nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the pod in the given existing user namespace.
diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in
index 0896dc412..e4e1db794 100644
--- a/docs/source/markdown/podman-run.1.md.in
+++ b/docs/source/markdown/podman-run.1.md.in
@@ -745,6 +745,11 @@ The rootless option `--userns=keep-id` uses all the subuids and subgids of the u
 
 **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
+  Valid `keep-id` options:
+
+  - *uid*=UID: override the UID inside the container that will be used to map the current rootless user to.
+  - *gid*=GID: override the GID inside the container that will be used to map the current rootless user to.
+
 **nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
 **ns:**_namespace_: run the container in the given existing user namespace.