Fix user namespace validation for containers in pods

0xDVC · 0xDVC · commit 181f6ca05ec8 · 2025-10-31T14:19:01.000Z
Remove incomplete CLI validation that only checked --pod flag and missed --pod-id-file (used by quadlet). Move validation to libpod/container_validate.go to catch all cases where --userns is set with --pod. The new validation checks if container's ID mappings differ from the pod's infra container and returns a clearer error message: 'cannot set user namespace mappings that differ from pod' This addresses the issue request for a better error message that explains the kernel limitation more clearly. Fixes: #26848 Signed-off-by: 0xdvc <neilohene@gmail.com>
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
@@ -309,9 +309,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra
 			return vals, fmt.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode)
 		}
 
-		if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {
-			return vals, errors.New("--userns and --pod cannot be set together")
-		}
+		// Validation for --userns with --pod moved to libpod/container_validate.go
+		// to catch all cases (--pod, --pod-id-file used by quadlet, etc.)
 	}
 	if c.Flag("shm-size").Changed {
 		vals.ShmSize = c.Flag("shm-size").Value.String()
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
@@ -21,6 +21,20 @@ import (
 
 const host = "host"
 
+// userNSConflictsWithPod returns an error if the user namespace mode
+// conflicts with pod namespace sharing requirements.
+// Linux requires containers sharing network or IPC namespaces (like in a pod)
+// to use the same user namespace. Trying to use different ones will fail at the kernel level.
+func userNSConflictsWithPod(pod *libpod.Pod, mode specgen.NamespaceMode) error {
+	if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+		// FromPod mode is allowed - container inherits from pod
+		if mode != specgen.FromPod {
+			return fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	}
+	return nil
+}
+
 // Get the default namespace mode for any given namespace type.
 func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod) (specgen.Namespace, error) {
 	// The default for most is private
@@ -214,6 +228,9 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 	// User
 	switch s.UserNS.NSMode {
 	case specgen.KeepID:
+		if err := userNSConflictsWithPod(pod, s.UserNS.NSMode); err != nil {
+			return nil, err
+		}
 		opts, err := namespaces.UsernsMode(s.UserNS.String()).GetKeepIDOptions()
 		if err != nil {
 			return nil, err
@@ -247,16 +264,32 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 			return nil, fmt.Errorf("looking up container to share user namespace with: %w", err)
 		}
 		toReturn = append(toReturn, libpod.WithUserNSFrom(userCtr))
+	case specgen.Private:
+		if err := userNSConflictsWithPod(pod, s.UserNS.NSMode); err != nil {
+			return nil, err
+		}
+	case specgen.Auto:
+		if err := userNSConflictsWithPod(pod, s.UserNS.NSMode); err != nil {
+			return nil, err
+		}
+	case specgen.NoMap:
+		if err := userNSConflictsWithPod(pod, s.UserNS.NSMode); err != nil {
+			return nil, err
+		}
+	case specgen.Path:
+		if err := userNSConflictsWithPod(pod, s.UserNS.NSMode); err != nil {
+			return nil, err
+		}
 	}
 
 	// This wipes the UserNS settings that get set from the infra container
 	// when we are inheriting from the pod. So only apply this if the container
 	// is not being created in a pod.
-	if s.IDMappings != nil {
+	if s.IDMappings != nil && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
 		if pod == nil {
 			toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
-		} else if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
-			return nil, fmt.Errorf("cannot specify a new uid/gid map when entering a pod with an infra container: %w", define.ErrInvalidArg)
+		} else if pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
 		}
 	}
 	if s.User != "" {
diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go
@@ -681,13 +681,18 @@ var _ = Describe("Podman create", func() {
 		create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mappings that differ from pod"))
+
+		cleanup := podmanTest.Podman([]string{"pod", "rm", "-f", "testing123"})
+		cleanup.WaitWithDefaultTimeout()
 
 		create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mappings that differ from pod"))
 
+		cleanup = podmanTest.Podman([]string{"pod", "rm", "-f", "testing1234"})
+		cleanup.WaitWithDefaultTimeout()
 	})
 
 	It("podman create --chrootdirs inspection test", func() {
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
@@ -804,7 +804,7 @@ ENTRYPOINT ["sleep","99999"]
 		// fail if --pod and --userns set together
 		session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitWithError(125, "--userns and --pod cannot be set together"))
+		Expect(session).Should(ExitWithError(125, "cannot set user namespace mappings that differ from pod"))
 	})
 
 	It("podman pod create with --userns=keep-id can add users", func() {
diff --git a/test/system/620-option-conflicts.bats b/test/system/620-option-conflicts.bats
@@ -14,7 +14,6 @@ load helpers
 create,run        | --cpu-period=1 | --cpus=2               | $IMAGE
 create,run        | --cpu-quota=1  | --cpus=2               | $IMAGE
 create,run        | --no-hosts     | --add-host=foo:1.1.1.1 | $IMAGE
-create,run        | --userns=bar   | --pod=foo              | $IMAGE
 container cleanup | --all          | --exec=foo
 container cleanup | --exec=foo     | --rmi                  | foo
 "
@@ -48,6 +47,13 @@ container cleanup | --exec=foo     | --rmi                  | foo
                "podman $cmd --platform + --$opt"
         done
     done
+
+    # --userns and --pod have a different error message format
+    run_podman pod create --name userns-pod-test
+    run_podman 125 run --uidmap=0:1000:1000 --pod=userns-pod-test $IMAGE true
+    is "$output" "Error: cannot set user namespace mappings that differ from pod: invalid argument" \
+       "podman run --uidmap + --pod"
+    run_podman pod rm -f userns-pod-test
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -309,9 +309,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra`
`309`	`309`	`return vals, fmt.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode)`
`310`	`310`	`}`
`311`	`311`
`312`		`- if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {`
`313`		`- return vals, errors.New("--userns and --pod cannot be set together")`
`314`		`- }`
	`312`	`+ // Validation for --userns with --pod moved to libpod/container_validate.go`
	`313`	`+ // to catch all cases (--pod, --pod-id-file used by quadlet, etc.)`
`315`	`314`	`}`
`316`	`315`	`if c.Flag("shm-size").Changed {`
`317`	`316`	`vals.ShmSize = c.Flag("shm-size").Value.String()`