pkg/specgen: allow pasta when running inside userns

pasta doesn't switch to nobody when we already run in a userns so we can use it there. The unshare package checks the same condition and returns true even if uid 0 in this case so we can directly call this. ref containers#17840 (comment) Signed-off-by: Paul Holzinger <[email protected]>
Luap99 · Sep 23, 2024 · 5288e25 · 5288e25
1 parent 74c48a5
commit 5288e25
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
@@ -11,9 +11,9 @@ import (
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/pkg/namespaces"
-	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/containers/storage/pkg/fileutils"
+	"github.com/containers/storage/pkg/unshare"
 	storageTypes "github.com/containers/storage/types"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -160,10 +160,15 @@ func validateNetNS(n *Namespace) error {
 	case Slirp:
 		break
 	case Pasta:
-		if rootless.IsRootless() {
+		// Check if we run rootless/in a userns. Do not use rootless.IsRootless() here.
+		// Pasta switches to nobody when running as root which causes it to fail while
+		// opening the netns owned by root. However when pasta is already in a userns
+		// it doesn't switch to nobody so it works there.
+		// https://github.com/containers/podman/issues/17840
+		if unshare.IsRootless() {
 			break
 		}
-		return fmt.Errorf("pasta networking is only supported for rootless mode")
+		return fmt.Errorf("pasta networking is only supported for rootless mode or when inside a nested userns")
 	case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge:
 		break
 	default: