From 221b1add74e17ded10e8f2f832a53065578aa264 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 1 Dec 2020 16:23:40 -0500
Subject: Add support for pod inside of user namespace.

Add the --userns flag to podman pod create and keep
track of the userns setting that pod was created with
so that all containers created within the pod will inherit
that userns setting.

Specifically we need to be able to launch a pod with
--userns=keep-id

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
---
 cmd/podman/containers/create.go | 10 ++++++++++
 cmd/podman/pods/create.go       | 10 ++++++++++
 2 files changed, 20 insertions(+)

(limited to 'cmd')

diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index 895736144..906ae4452 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -184,6 +184,9 @@ func createInit(c *cobra.Command) error {
 	if c.Flag("cpu-quota").Changed && c.Flag("cpus").Changed {
 		return errors.Errorf("--cpu-quota and --cpus cannot be set together")
 	}
+	if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {
+		return errors.Errorf("--userns and --pod cannot be set together")
+	}
 
 	noHosts, err := c.Flags().GetBool("no-hosts")
 	if err != nil {
@@ -309,6 +312,12 @@ func createPodIfNecessary(s *specgen.SpecGenerator, netOpts *entities.NetOptions
 	if len(podName) < 1 {
 		return nil, errors.Errorf("new pod name must be at least one character")
 	}
+
+	userns, err := specgen.ParseUserNamespace(cliVals.UserNS)
+	if err != nil {
+		return nil, err
+	}
+
 	createOptions := entities.PodCreateOptions{
 		Name:          podName,
 		Infra:         true,
@@ -318,6 +327,7 @@ func createPodIfNecessary(s *specgen.SpecGenerator, netOpts *entities.NetOptions
 		Cpus:          cliVals.CPUS,
 		CpusetCpus:    cliVals.CPUSetCPUs,
 		Pid:           cliVals.PID,
+		Userns:        userns,
 	}
 	// Unset config values we passed to the pod to prevent them being used twice for the container and pod.
 	s.ContainerBasicConfig.Hostname = ""
diff --git a/cmd/podman/pods/create.go b/cmd/podman/pods/create.go
index abc47164b..bf5b9e350 100644
--- a/cmd/podman/pods/create.go
+++ b/cmd/podman/pods/create.go
@@ -48,6 +48,7 @@ var (
 	podIDFile         string
 	replace           bool
 	share             string
+	userns            string
 )
 
 func init() {
@@ -72,6 +73,10 @@ func init() {
 	flags.StringVar(&createOptions.CGroupParent, cgroupParentflagName, "", "Set parent cgroup for the pod")
 	_ = createCommand.RegisterFlagCompletionFunc(cgroupParentflagName, completion.AutocompleteDefault)
 
+	usernsFlagName := "userns"
+	flags.StringVar(&userns, usernsFlagName, os.Getenv("PODMAN_USERNS"), "User namespace to use")
+	_ = createCommand.RegisterFlagCompletionFunc(usernsFlagName, common.AutocompleteUserNamespace)
+
 	flags.BoolVar(&createOptions.Infra, "infra", true, "Create an infra container associated with the pod to share namespaces with")
 
 	infraConmonPidfileFlagName := "infra-conmon-pidfile"
@@ -178,6 +183,11 @@ func create(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	createOptions.Userns, err = specgen.ParseUserNamespace(userns)
+	if err != nil {
+		return err
+	}
+
 	if cmd.Flag("pod-id-file").Changed {
 		podIDFD, err = util.OpenExclusiveFile(podIDFile)
 		if err != nil && os.IsExist(err) {
-- 
cgit v1.2.3-54-g00ecf