Fix user namespace validation for containers in pods

0xDVC · 0xDVC · commit d5700bc77753 · 2025-10-31T12:29:08.000Z
Remove incomplete CLI validation that only checked --pod flag and missed --pod-id-file (used by quadlet). Move validation to libpod/container_validate.go to catch all cases where --userns is set with --pod. The new validation checks if container's ID mappings differ from the pod's infra container and returns a clearer error message: 'cannot set user namespace mappings that differ from pod' This addresses the issue request for a better error message that explains the kernel limitation more clearly. Fixes: #26848 Signed-off-by: 0xdvc <neilohene@gmail.com>
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
@@ -309,9 +309,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra
 			return vals, fmt.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode)
 		}
 
-		if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {
-			return vals, errors.New("--userns and --pod cannot be set together")
-		}
+		// Validation for --userns with --pod moved to libpod/container_validate.go
+		// to catch all cases (--pod, --pod-id-file used by quadlet, etc.)
 	}
 	if c.Flag("shm-size").Changed {
 		vals.ShmSize = c.Flag("shm-size").Value.String()
diff --git a/libpod/container_validate.go b/libpod/container_validate.go
@@ -187,6 +187,11 @@ func (c *Container) validate() error {
 		return fmt.Errorf("default rootfs-based infra container is set for non-infra container")
 	}
 
+	// Validate user namespace configuration for containers in pods
+	if err := c.validateUserNSInPod(); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -207,3 +212,22 @@ func validateAutoUpdateImageReference(imageName string) error {
 	}
 	return nil
 }
+
+// validateUserNSInPod ensures containers in a pod don’t set their own user namespace mappings.
+// Linux requires containers sharing network or IPC namespaces (like in a pod) to use the same
+// user namespace. Trying to use different ones will fail at the kernel level.
+// Most of this is already checked in pkg/specgen/generate/namespaces.go before pod containers drop their ID mappings.
+func (c *Container) validateUserNSInPod() error {
+	if c.config.Pod == "" {
+		return nil
+	}
+	// Skip if the container inherits a user namespace (e.g., from the pod's infra container)
+	if c.config.UserNsCtr != "" {
+		return nil
+	}
+	// Skip validation for infra containers(they don't set their own user namespaces)
+	if c.IsInfra() {
+		return nil
+	}
+	return nil
+}
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
@@ -214,6 +214,11 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 	// User
 	switch s.UserNS.NSMode {
 	case specgen.KeepID:
+		// KeepID user namespace in a pod that shares IPC or NET is not allowed
+		// because Linux requires containers sharing network or IPC namespaces to use the same user namespace
+		if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
 		opts, err := namespaces.UsernsMode(s.UserNS.String()).GetKeepIDOptions()
 		if err != nil {
 			return nil, err
@@ -247,6 +252,26 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 			return nil, fmt.Errorf("looking up container to share user namespace with: %w", err)
 		}
 		toReturn = append(toReturn, libpod.WithUserNSFrom(userCtr))
+	case specgen.Private:
+		// Private user namespace in a pod that shares IPC or NET is not allowed
+		if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	case specgen.Auto:
+		// Auto user namespace in a pod that shares IPC or NET is not allowed
+		if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	case specgen.NoMap:
+		// NoMap user namespace in a pod that shares IPC or NET is not allowed
+		if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	case specgen.Path:
+		// Custom user namespace path in a pod that shares IPC or NET is not allowed
+		if pod != nil && pod.HasInfraContainer() && (pod.SharesIPC() || pod.SharesNet()) {
+			return nil, fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
 	}
 
 	// This wipes the UserNS settings that get set from the infra container
@@ -255,8 +280,6 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 	if s.IDMappings != nil {
 		if pod == nil {
 			toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
-		} else if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
-			return nil, fmt.Errorf("cannot specify a new uid/gid map when entering a pod with an infra container: %w", define.ErrInvalidArg)
 		}
 	}
 	if s.User != "" {
diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go
@@ -678,16 +678,33 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman create --uid/gidmap --pod conflict test", func() {
-		create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE})
+		// Create a pod first
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--name", "testpod123"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(ExitCleanly())
+
+		// Try to create container with custom uidmap in the pod - should fail
+		create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "testpod123", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mappings that differ from pod"))
+
+		// Cleanup
+		podmanTest.Podman([]string{"pod", "rm", "-f", "testpod123"})
+
+		// Create another pod
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--name", "testpod1234"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(ExitCleanly())
 
-		create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE})
+		// Try with gidmap - should also fail
+		create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "testpod1234", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).ShouldNot(ExitCleanly())
-		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot set user namespace mappings that differ from pod"))
 
+		// Cleanup
+		podmanTest.Podman([]string{"pod", "rm", "-f", "testpod1234"})
 	})
 
 	It("podman create --chrootdirs inspection test", func() {
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
@@ -804,7 +804,7 @@ ENTRYPOINT ["sleep","99999"]
 		// fail if --pod and --userns set together
 		session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitWithError(125, "--userns and --pod cannot be set together"))
+		Expect(session).Should(ExitWithError(125, "cannot set user namespace mappings that differ from pod"))
 	})
 
 	It("podman pod create with --userns=keep-id can add users", func() {
diff --git a/test/system/620-option-conflicts.bats b/test/system/620-option-conflicts.bats
@@ -14,7 +14,6 @@ load helpers
 create,run        | --cpu-period=1 | --cpus=2               | $IMAGE
 create,run        | --cpu-quota=1  | --cpus=2               | $IMAGE
 create,run        | --no-hosts     | --add-host=foo:1.1.1.1 | $IMAGE
-create,run        | --userns=bar   | --pod=foo              | $IMAGE
 container cleanup | --all          | --exec=foo
 container cleanup | --exec=foo     | --rmi                  | foo
 "
@@ -48,6 +47,13 @@ container cleanup | --exec=foo     | --rmi                  | foo
                "podman $cmd --platform + --$opt"
         done
     done
+
+    # --userns and --pod have a different error message format
+    run_podman pod create --name userns-pod-test
+    run_podman 125 run --uidmap=0:1000:1000 --pod=userns-pod-test $IMAGE true
+    is "$output" "Error: cannot set user namespace mappings that differ from pod: invalid argument" \
+       "podman run --uidmap + --pod"
+    run_podman pod rm -f userns-pod-test
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -309,9 +309,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra`
`309`	`309`	`return vals, fmt.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode)`
`310`	`310`	`}`
`311`	`311`
`312`		`- if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {`
`313`		`- return vals, errors.New("--userns and --pod cannot be set together")`
`314`		`- }`
	`312`	`+ // Validation for --userns with --pod moved to libpod/container_validate.go`
	`313`	`+ // to catch all cases (--pod, --pod-id-file used by quadlet, etc.)`
`315`	`314`	`}`
`316`	`315`	`if c.Flag("shm-size").Changed {`
`317`	`316`	`vals.ShmSize = c.Flag("shm-size").Value.String()`