From 6996830104afca5926daecc05d9154a0a9eb274d Mon Sep 17 00:00:00 2001
From: cdoern <cdoern@redhat.com>
Date: Thu, 13 Jan 2022 10:43:24 -0500
Subject: Prohibit --uid/gid map and --pod for container create/run

add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map
if entering or creating a pod that has an infra container

resolves #12669

Signed-off-by: cdoern <cdoern@redhat.com>
---
 docs/source/markdown/podman-create.1.md | 3 +++
 docs/source/markdown/podman-run.1.md    | 4 ++++
 2 files changed, 7 insertions(+)

(limited to 'docs/source')

diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index e3647b194..dd79a8d74 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -365,6 +365,8 @@ GID map for the user namespace. Using this flag will run the container with user
 
 The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000`
 
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
 #### **--group-add**=*group|keep-groups*
 
 Add additional groups to assign to primary user running within the container process.
@@ -1166,6 +1168,7 @@ Even if a user does not have any subordinate UIDs in  _/etc/subuid_,
 **--uidmap** could still be used to map the normal UID of the user to a
 container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`.
 
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
 
 #### **--ulimit**=*option*
 
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index b98e563ef..80652fcdf 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -407,6 +407,8 @@ Meaning **groupname** is initially mapped to gid **100000** which is referenced
 above: The group **groupname** is mapped to group **100000** of the initial namespace then the
 **30000**st id of this namespace (which is gid 130000 in this namespace) is mapped to container namespace group id **0**. (groupname -> 100000 / 30000 -> 0)
 
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
 #### **--group-add**=*group|keep-groups*
 
 Add additional groups to assign to primary user running within the container process.
@@ -1241,6 +1243,8 @@ Even if a user does not have any subordinate UIDs in  _/etc/subuid_,
 **--uidmap** could still be used to map the normal UID of the user to a
 container UID by running `podman run --uidmap $container_uid:0:1 --user $container_uid ...`.
 
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
+
 #### **--ulimit**=*option*
 
 Ulimit options. You can use **host** to copy the current configuration from the host.
-- 
cgit v1.2.3-54-g00ecf