Merge pull request #23961 from Luap99/pasta-userns

pkg/specgen: allow pasta when running inside userns
containers · Sep 17, 2024 · 9da2336 · 9da2336 · packit-as-a-service · Sep 17, 2024
2 parents e05568c + 91dbd6d
commit 9da2336
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
@@ -11,9 +11,9 @@ import (
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/pkg/namespaces"
-	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/containers/storage/pkg/fileutils"
+	"github.com/containers/storage/pkg/unshare"
 	storageTypes "github.com/containers/storage/types"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -160,10 +160,15 @@ func validateNetNS(n *Namespace) error {
 	case Slirp:
 		break
 	case Pasta:
-		if rootless.IsRootless() {
+		// Check if we run rootless/in a userns. Do not use rootless.IsRootless() here.
+		// Pasta switches to nobody when running as root which causes it to fail while
+		// opening the netns owned by root. However when pasta is already in a userns
+		// it doesn't switch to nobody so it works there.
+		// https://github.com/containers/podman/issues/17840
+		if unshare.IsRootless() {
 			break
 		}
-		return fmt.Errorf("pasta networking is only supported for rootless mode")
+		return fmt.Errorf("pasta networking is only supported for rootless mode or when inside a nested userns")
 	case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge:
 		break
 	default: