podman: add uid and gid options to keep-id

add two new options to the keep-id user namespace option: - uid: allow to override the UID used inside the container. - gid: allow to override the GID used inside the container. For example, the following command will map the rootless user (that has UID=0 inside the rootless user namespace) to the UID=11 inside the container user namespace: $ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map 0 1 11 11 0 1 12 12 65525 Closes: https://github.com/containers/podman/issues/15294 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2022-08-19 15:15:47 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2022-08-30 14:39:27 +0200
commit: e015c9e3f74153ef069bfbb013e715766e793bf9 (patch)
tree: 6e42fa726031624ff134e6320f8270eee00d6afb /pkg/specgen/generate
parent: cd626060462e0262bf234a7565cad73852d7f884 (diff)
download: podman-e015c9e3f74153ef069bfbb013e715766e793bf9.tar.gz
podman-e015c9e3f74153ef069bfbb013e715766e793bf9.tar.bz2
podman-e015c9e3f74153ef069bfbb013e715766e793bf9.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index f0d4e9153..e27a3abac 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v4/libpod"
 	"github.com/containers/podman/v4/libpod/define"
+	"github.com/containers/podman/v4/pkg/namespaces"
 	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/specgen"
 	"github.com/containers/podman/v4/pkg/util"
@@ -198,12 +199,18 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 		if !rootless.IsRootless() {
 			return nil, errors.New("keep-id is only supported in rootless mode")
 		}
-		toReturn = append(toReturn, libpod.WithAddCurrentUserPasswdEntry())
+		opts, err := namespaces.UsernsMode(s.UserNS.String()).GetKeepIDOptions()
+		if err != nil {
+			return nil, err
+		}
+		if opts.UID == nil && opts.GID == nil {
+			toReturn = append(toReturn, libpod.WithAddCurrentUserPasswdEntry())
+		}
 
 		// If user is not overridden, set user in the container
 		// to user running Podman.
 		if s.User == "" {
-			_, uid, gid, err := util.GetKeepIDMapping()
+			_, uid, gid, err := util.GetKeepIDMapping(opts)
 			if err != nil {
 				return nil, err
 			}
author	Giuseppe Scrivano <gscrivan@redhat.com>	2022-08-19 15:15:47 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2022-08-30 14:39:27 +0200
commit	e015c9e3f74153ef069bfbb013e715766e793bf9 (patch)
tree	6e42fa726031624ff134e6320f8270eee00d6afb /pkg/specgen/generate
parent	cd626060462e0262bf234a7565cad73852d7f884 (diff)
download	podman-e015c9e3f74153ef069bfbb013e715766e793bf9.tar.gz podman-e015c9e3f74153ef069bfbb013e715766e793bf9.tar.bz2 podman-e015c9e3f74153ef069bfbb013e715766e793bf9.zip