2 files changed, 54 insertions, 24 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 46105af4a..76b8963ff 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -9,6 +9,7 @@ import (
 	"github.com/containers/storage/pkg/mount"
 	"github.com/docker/docker/daemon/caps"
 	"github.com/docker/go-units"
+	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
@@ -45,6 +46,18 @@ func supercedeUserMounts(mounts []spec.Mount, configMount []spec.Mount) []spec.M
 	return configMount
 }
 
+func getAvailableGids() (int64, error) {
+	idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
+	if err != nil {
+		return 0, err
+	}
+	count := int64(0)
+	for _, r := range idMap {
+		count += r.Count
+	}
+	return count, nil
+}
+
 // CreateConfigToOCISpec parses information needed to create a container into an OCI runtime spec
 func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 	cgroupPerm := "ro"
@@ -91,14 +104,21 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		g.AddMount(sysMnt)
 	}
 	if isRootless {
-		g.RemoveMount("/dev/pts")
-		devPts := spec.Mount{
-			Destination: "/dev/pts",
-			Type:        "devpts",
-			Source:      "devpts",
-			Options:     []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+		nGids, err := getAvailableGids()
+		if err != nil {
+			return nil, err
+		}
+		if nGids < 5 {
+			// If we have no GID mappings, the gid=5 default option would fail, so drop it.
+			g.RemoveMount("/dev/pts")
+			devPts := spec.Mount{
+				Destination: "/dev/pts",
+				Type:        "devpts",
+				Source:      "devpts",
+				Options:     []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+			}
+			g.AddMount(devPts)
 		}
-		g.AddMount(devPts)
 	}
 	if inUserNS && config.IpcMode.IsHost() {
 		g.RemoveMount("/dev/mqueue")
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index e0b94b011..52f431881 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -301,36 +301,36 @@ func getTomlStorage(storeOptions *storage.StoreOptions) *tomlConfig {
 // for the volume API
 // It also returns the path where all named volumes will be created using the volume API
 func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
+	var (
+		defaultRootlessRunRoot   string
+		defaultRootlessGraphRoot string
+		err                      error
+	)
 	storageOpts := storage.DefaultStoreOptions
 	volumePath := "/var/lib/containers/storage"
+
 	if rootless.IsRootless() {
-		var err error
 		storageOpts, err = GetRootlessStorageOpts()
 		if err != nil {
 			return storageOpts, volumePath, err
 		}
+
 		volumePath, err = GetRootlessVolumeInfo()
 		if err != nil {
 			return storageOpts, volumePath, err
 		}
+	}
 
-		storageConf := StorageConfigFile()
-		if _, err := os.Stat(storageConf); err == nil {
-			defaultRootlessRunRoot := storageOpts.RunRoot
-			defaultRootlessGraphRoot := storageOpts.GraphRoot
-			storageOpts = storage.StoreOptions{}
-			storage.ReloadConfigurationFile(storageConf, &storageOpts)
+	storageConf := StorageConfigFile()
+	if _, err = os.Stat(storageConf); err == nil {
+		defaultRootlessRunRoot = storageOpts.RunRoot
+		defaultRootlessGraphRoot = storageOpts.GraphRoot
+		storageOpts = storage.StoreOptions{}
+		storage.ReloadConfigurationFile(storageConf, &storageOpts)
+	}
 
-			// If the file did not specify a graphroot or runroot,
-			// set sane defaults so we don't try and use root-owned
-			// directories
-			if storageOpts.RunRoot == "" {
-				storageOpts.RunRoot = defaultRootlessRunRoot
-			}
-			if storageOpts.GraphRoot == "" {
-				storageOpts.GraphRoot = defaultRootlessGraphRoot
-			}
-		} else if os.IsNotExist(err) {
+	if rootless.IsRootless() {
+		if os.IsNotExist(err) {
 			os.MkdirAll(filepath.Dir(storageConf), 0755)
 			file, err := os.OpenFile(storageConf, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
 			if err != nil {
@@ -343,6 +343,16 @@ func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
 			if err := enc.Encode(tomlConfiguration); err != nil {
 				os.Remove(storageConf)
 			}
+		} else if err == nil {
+			// If the file did not specify a graphroot or runroot,
+			// set sane defaults so we don't try and use root-owned
+			// directories
+			if storageOpts.RunRoot == "" {
+				storageOpts.RunRoot = defaultRootlessRunRoot
+			}
+			if storageOpts.GraphRoot == "" {
+				storageOpts.GraphRoot = defaultRootlessGraphRoot
+			}
 		}
 	}
 	return storageOpts, volumePath, nil