3 files changed, 25 insertions, 44 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index fb7eb99a2..d6d479c67 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -303,6 +303,8 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	if opts.NetNSIsHost {
 		s.NetNS.NSMode = specgen.Host
 	}
+	// Always set the userns to host since k8s doesn't have support for userns yet
+	s.UserNS.NSMode = specgen.Host
 
 	// Add labels that come from kube
 	if len(s.Labels) == 0 {
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index f41186ae4..1d7373093 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -175,6 +175,11 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		if pod == nil || infraCtr == nil {
 			return nil, errNoInfra
 		}
+		// Inherit the user from the infra container if it is set and --user has not
+		// been set explicitly
+		if infraCtr.User() != "" && s.User == "" {
+			toReturn = append(toReturn, libpod.WithUser(infraCtr.User()))
+		}
 		toReturn = append(toReturn, libpod.WithUserNSFrom(infraCtr))
 	case specgen.FromContainer:
 		userCtr, err := rt.LookupContainer(s.UserNS.Value)
@@ -184,7 +189,10 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 		toReturn = append(toReturn, libpod.WithUserNSFrom(userCtr))
 	}
 
-	if s.IDMappings != nil {
+	// This wipes the UserNS settings that get set from the infra container
+	// when we are inheritting from the pod. So only apply this if the container
+	// is not being created in a pod.
+	if s.IDMappings != nil && pod == nil {
 		toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
 	}
 	if s.User != "" {
@@ -379,46 +387,8 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 	}
 
 	// User
-	switch s.UserNS.NSMode {
-	case specgen.Path:
-		if _, err := os.Stat(s.UserNS.Value); err != nil {
-			return errors.Wrap(err, "cannot find specified user namespace path")
-		}
-		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), s.UserNS.Value); err != nil {
-			return err
-		}
-		// runc complains if no mapping is specified, even if we join another ns.  So provide a dummy mapping
-		g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
-		g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
-	case specgen.Host:
-		if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil {
-			return err
-		}
-	case specgen.KeepID:
-		var (
-			err      error
-			uid, gid int
-		)
-		s.IDMappings, uid, gid, err = util.GetKeepIDMapping()
-		if err != nil {
-			return err
-		}
-		g.SetProcessUID(uint32(uid))
-		g.SetProcessGID(uint32(gid))
-		fallthrough
-	case specgen.Private:
-		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
-			return err
-		}
-		if s.IDMappings == nil || (len(s.IDMappings.UIDMap) == 0 && len(s.IDMappings.GIDMap) == 0) {
-			return errors.Errorf("must provide at least one UID or GID mapping to configure a user namespace")
-		}
-		for _, uidmap := range s.IDMappings.UIDMap {
-			g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
-		}
-		for _, gidmap := range s.IDMappings.GIDMap {
-			g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
-		}
+	if _, err := specgen.SetupUserNS(s.IDMappings, s.UserNS, g); err != nil {
+		return err
 	}
 
 	// Cgroup
@@ -474,7 +444,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
 // GetNamespaceOptions transforms a slice of kernel namespaces
 // into a slice of pod create options. Currently, not all
 // kernel namespaces are supported, and they will be returned in an error
-func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
+func GetNamespaceOptions(ns []string, netnsIsHost bool) ([]libpod.PodCreateOption, error) {
 	var options []libpod.PodCreateOption
 	var erroredOptions []libpod.PodCreateOption
 	if ns == nil {
@@ -486,7 +456,10 @@ func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
 		case "cgroup":
 			options = append(options, libpod.WithPodCgroups())
 		case "net":
-			options = append(options, libpod.WithPodNet())
+			// share the netns setting with other containers in the pod only when it is not set to host
+			if !netnsIsHost {
+				options = append(options, libpod.WithPodNet())
+			}
 		case "mnt":
 			return erroredOptions, errors.Errorf("Mount sharing functionality not supported on pod level")
 		case "pid":
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index aab29499e..426cf1b6d 100644
--- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go
@@ -27,11 +27,16 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	)
 	if !p.NoInfra {
 		options = append(options, libpod.WithInfraContainer())
-		nsOptions, err := GetNamespaceOptions(p.SharedNamespaces)
+		nsOptions, err := GetNamespaceOptions(p.SharedNamespaces, p.NetNS.IsHost())
 		if err != nil {
 			return nil, err
 		}
 		options = append(options, nsOptions...)
+		// Use pod user and infra userns only when --userns is not set to host
+		if !p.Userns.IsHost() {
+			options = append(options, libpod.WithPodUser())
+			options = append(options, libpod.WithPodUserns(p.Userns))
+		}
 
 		// Make our exit command
 		storageConfig := rt.StorageConfig()
@@ -154,5 +159,6 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod
 	if len(p.InfraConmonPidFile) > 0 {
 		options = append(options, libpod.WithInfraConmonPidFile(p.InfraConmonPidFile))
 	}
+
 	return options, nil
 }