2 files changed, 23 insertions, 3 deletions

diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index f0d4e9153..e27a3abac 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v4/libpod"
 	"github.com/containers/podman/v4/libpod/define"
+	"github.com/containers/podman/v4/pkg/namespaces"
 	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/specgen"
 	"github.com/containers/podman/v4/pkg/util"
@@ -198,12 +199,18 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 		if !rootless.IsRootless() {
 			return nil, errors.New("keep-id is only supported in rootless mode")
 		}
-		toReturn = append(toReturn, libpod.WithAddCurrentUserPasswdEntry())
+		opts, err := namespaces.UsernsMode(s.UserNS.String()).GetKeepIDOptions()
+		if err != nil {
+			return nil, err
+		}
+		if opts.UID == nil && opts.GID == nil {
+			toReturn = append(toReturn, libpod.WithAddCurrentUserPasswdEntry())
+		}
 
 		// If user is not overridden, set user in the container
 		// to user running Podman.
 		if s.User == "" {
-			_, uid, gid, err := util.GetKeepIDMapping()
+			_, uid, gid, err := util.GetKeepIDMapping(opts)
 			if err != nil {
 				return nil, err
 			}
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 03a2049f6..8cc0fe6a9 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/common/pkg/cgroups"
 	cutil "github.com/containers/common/pkg/util"
 	"github.com/containers/podman/v4/libpod/define"
+	"github.com/containers/podman/v4/pkg/namespaces"
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/containers/storage"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -308,6 +309,14 @@ func ParseUserNamespace(ns string) (Namespace, error) {
 	case ns == "keep-id":
 		toReturn.NSMode = KeepID
 		return toReturn, nil
+	case strings.HasPrefix(ns, "keep-id:"):
+		split := strings.SplitN(ns, ":", 2)
+		if len(split) != 2 {
+			return toReturn, errors.New("invalid setting for keep-id: mode")
+		}
+		toReturn.NSMode = KeepID
+		toReturn.Value = split[1]
+		return toReturn, nil
 	case ns == "nomap":
 		toReturn.NSMode = NoMap
 		return toReturn, nil
@@ -490,7 +499,11 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
 			return user, err
 		}
 	case KeepID:
-		mappings, uid, gid, err := util.GetKeepIDMapping()
+		opts, err := namespaces.UsernsMode(userns.String()).GetKeepIDOptions()
+		if err != nil {
+			return user, err
+		}
+		mappings, uid, gid, err := util.GetKeepIDMapping(opts)
 		if err != nil {
 			return user, err
 		}