podman: support --userns=ns|container

allow to join the user namespace of another container.

Closes: https://github.com/containers/libpod/issues/3629

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

2 files changed, 6 insertions, 0 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 6e775cd28..afcf51a11 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -318,6 +318,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		if err := c.addNamespaceContainer(&g, UserNS, c.config.UserNsCtr, spec.UserNamespace); err != nil {
 			return nil, err
 		}
+		if len(g.Config.Linux.UIDMappings) == 0 {
+			// runc complains if no mapping is specified, even if we join another ns.  So provide a dummy mapping
+			g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
+			g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
+		}
 	}
 	if c.config.UTSNsCtr != "" {
 		if err := c.addNamespaceContainer(&g, UTSNS, c.config.UTSNsCtr, spec.UTSNamespace); err != nil {
diff --git a/libpod/options.go b/libpod/options.go
index 8d41764a9..81d3aa64f 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -847,6 +847,7 @@ func WithUserNSFrom(nsCtr *Container) CtrCreateOption {
 		}
 
 		ctr.config.UserNsCtr = nsCtr.ID()
+		ctr.config.IDMappings = nsCtr.config.IDMappings
 
 		return nil
 	}