Fix user namespace validation for containers in pods

Remove incomplete CLI validation that only checked --pod flag and missed
--pod-id-file (used by quadlet). Move validation to libpod/container_validate.go
to catch all cases where --userns is set with --pod.

The new validation checks if container's ID mappings differ from the pod's
infra container and returns a clearer error message:
'cannot set user namespace mappings that differ from pod'

This addresses the issue request for a better error message that explains
the kernel limitation more clearly.

Fixes: #26848
Signed-off-by: 0xdvc <neilohene@gmail.com>

Author: 0xDVC

cmd/podman/containers/create.go

@@ -309,9 +309,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra
 			return vals, fmt.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode)
 		}
 
-		if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed {
-			return vals, errors.New("--userns and --pod cannot be set together")
-		}
+		// Validation for --userns with --pod moved to libpod/container_validate.go
+		// to catch all cases (--pod, --pod-id-file used by quadlet, etc.)
 	}
 	if c.Flag("shm-size").Changed {
 		vals.ShmSize = c.Flag("shm-size").Value.String()

libpod/container_validate.go

@@ -187,6 +187,11 @@ func (c *Container) validate() error {
 		return fmt.Errorf("default rootfs-based infra container is set for non-infra container")
 	}
 
+	// Validate user namespace configuration for containers in pods
+	if err := c.validateUserNamespaceInPod(); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -207,3 +212,51 @@ func validateAutoUpdateImageReference(imageName string) error {
 	}
 	return nil
 }
+
+func (c *Container) validateUserNamespaceInPod() error {
+	if c.config.Pod == "" {
+		return nil
+	}
+
+	if len(c.config.IDMappings.UIDMap) == 0 && len(c.config.IDMappings.GIDMap) == 0 {
+		return nil
+	}
+
+	pod, err := c.runtime.LookupPod(c.config.Pod)
+	if err != nil {
+		return fmt.Errorf("looking up pod for container: %w", err)
+	}
+
+	if !pod.HasInfraContainer() {
+		return nil
+	}
+
+	infraContainer, err := pod.infraContainer()
+	if err != nil {
+		return fmt.Errorf("getting pod infra container: %w", err)
+	}
+
+	podIDMappings := infraContainer.IDMappings()
+
+	// Check UID mappings
+	if len(c.config.IDMappings.UIDMap) != len(podIDMappings.UIDMap) {
+		return fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+	}
+	for i := range c.config.IDMappings.UIDMap {
+		if c.config.IDMappings.UIDMap[i] != podIDMappings.UIDMap[i] {
+			return fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	}
+
+	// Check GID mappings
+	if len(c.config.IDMappings.GIDMap) != len(podIDMappings.GIDMap) {
+		return fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+	}
+	for i := range c.config.IDMappings.GIDMap {
+		if c.config.IDMappings.GIDMap[i] != podIDMappings.GIDMap[i] {
+			return fmt.Errorf("cannot set user namespace mappings that differ from pod: %w", define.ErrInvalidArg)
+		}
+	}
+
+	return nil
+}

pkg/specgen/generate/namespaces.go

@@ -251,12 +251,10 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
 
 	// This wipes the UserNS settings that get set from the infra container
 	// when we are inheriting from the pod. So only apply this if the container
-	// is not being created in a pod.
+	// is not being created in a pod. Validation is handled in container_validate.go.
 	if s.IDMappings != nil {
 		if pod == nil {
 			toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
-		} else if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
-			return nil, fmt.Errorf("cannot specify a new uid/gid map when entering a pod with an infra container: %w", define.ErrInvalidArg)
 		}
 	}
 	if s.User != "" {

test/e2e/pod_create_test.go

@@ -804,7 +804,7 @@ ENTRYPOINT ["sleep","99999"]
 		// fail if --pod and --userns set together
 		session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitWithError(125, "--userns and --pod cannot be set together"))
+		Expect(session).Should(ExitWithError(125, "cannot set user namespace mappings that differ from pod"))
 	})
 
 	It("podman pod create with --userns=keep-id can add users", func() {

test/system/620-option-conflicts.bats

@@ -14,7 +14,6 @@ load helpers
 create,run        | --cpu-period=1 | --cpus=2               | $IMAGE
 create,run        | --cpu-quota=1  | --cpus=2               | $IMAGE
 create,run        | --no-hosts     | --add-host=foo:1.1.1.1 | $IMAGE
-create,run        | --userns=bar   | --pod=foo              | $IMAGE
 container cleanup | --all          | --exec=foo
 container cleanup | --exec=foo     | --rmi                  | foo
 "
@@ -48,6 +47,13 @@ container cleanup | --exec=foo     | --rmi                  | foo
                "podman $cmd --platform + --$opt"
         done
     done
+
+    # --userns and --pod have a different error message format
+    run_podman pod create --name userns-pod-test
+    run_podman 125 run --userns=keep-id --pod=userns-pod-test $IMAGE true
+    is "$output" "Error: cannot set user namespace mappings that differ from pod: invalid argument" \
+       "podman run --userns + --pod"
+    run_podman pod rm -f userns-pod-test
 }