Skip to content

feat(driver-podman): add per-sandbox user namespace mode#2141

Open
bergmannf wants to merge 1 commit into
NVIDIA:mainfrom
bergmannf:feat/podman-userns-param
Open

feat(driver-podman): add per-sandbox user namespace mode#2141
bergmannf wants to merge 1 commit into
NVIDIA:mainfrom
bergmannf:feat/podman-userns-param

Conversation

@bergmannf

@bergmannf bergmannf commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Add support for selecting a per-sandbox Podman user namespace mode through driver config.

This feature is required if SELinux is active, but the user ID inside the sandbox container is not the same as the user ID of the user creating it. In that case reading a SELinux shared mount is possible, but writing is not, unless the keep-id map is supplied with the correct values inside the sandbox (e.g. in the default image it must use: '{"podman":{"userns_mode": "keep-id:uid=998,gid=998"}})

Related Issue

None

Changes

  • Added userns_mode to Podman sandbox driver config
  • Parsed --userns-style values into the libpod namespace spec
  • Added unit tests for unset, whitespace, and colon-split parsing
  • Updated Podman driver and gateway config docs

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

Add a `userns_mode` field to `PodmanSandboxDriverConfig` so each
sandbox can independently select its user namespace mode via
`--driver-config-json`.

Accepts the same values as `podman run --userns`, e.g. "keep-id",
"keep-id:uid=200,gid=210", "auto", "nomap", or "host". Empty (default)
leaves Podman's default behavior unchanged.

The `build_userns` helper reads from the per-sandbox driver config
and parses the string into a libpod `Namespace` object, splitting on
the first colon: the left side becomes `nsmode` and the right side
becomes `value`. When unset or whitespace-only, the `userns` field is
omitted from the container spec JSON so Podman uses its default
(host namespace).

Includes unit tests covering all parsing paths, whitespace trimming,
and coexistence with mounts in driver config. Updates the driver
README with usage examples.

Signed-off-by: Florian Bergmann <bergmann.f@gmail.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 4, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant