diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index fdda4a5f3a..d3cad60f8e 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -503,9 +503,6 @@ func SetupUserNS(idmappings *storageTypes.IDMappingOptions, userns Namespace, g if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), userns.Value); err != nil { return user, err } - // runc complains if no mapping is specified, even if we join another ns. So provide a dummy mapping - g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1)) - g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1)) case Host: if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil { return user, err diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats index c1f59e0e8a..b56e2c12e4 100644 --- a/test/system/170-run-userns.bats +++ b/test/system/170-run-userns.bats @@ -179,3 +179,30 @@ EOF # gid not mapped run_podman run --rm --uidmap 0:0:1000 --gidmap 0:1:1000 $IMAGE true } + +# bats test_tags=ci:parallel +@test "podman --userns=ns: join existing user namespace" { + # Test for issue #27148: --userns=ns: should not add dummy mappings + local cname="userns_source_$(safename)" + + run_podman run -d --name $cname \ + --userns=keep-id \ + $IMAGE top + + run_podman inspect --format '{{.State.Pid}}' $cname + local pid=$output + local userns_path="/proc/$pid/ns/user" + + run_podman exec $cname sh -c "readlink /proc/self/ns/user; echo '---'; cat /proc/self/uid_map" + local expected="$output" + + run_podman run --rm \ + --userns=ns:$userns_path \ + $IMAGE \ + sh -c "readlink /proc/self/ns/user; echo '---'; cat /proc/self/uid_map" + local output="$output" + + assert "$expected" == "$output" "User namespace identifiers and UID mappings should match" + + run_podman rm -f $cname +}