(cherry picked from commit ca1a0db4e7)
This commit fixes three related issues that prevented userns=auto from
working correctly in rootless containers:
1. Fix setgroups() error with userns=auto
When using userns=auto, supplementary GIDs from the container image
were being passed to setgroups() before user namespace mappings were
allocated by storage, causing EINVAL errors. Added a check in
container_internal_common.go to skip supplementary groups when
AutoUserNs is enabled but GIDMap isn't populated yet.
2. Fix ID mapping allocation bug in storage.go
CreateContainerStorage was returning empty UID/GID mappings from the
input options parameter instead of the allocated mappings from the
storage container object, causing containers to fail with "readlink:
No such file or directory" errors. Changed the return statement to
use container.UIDMap and container.GIDMap.
3. Add workaround for containers/storage v1.51.0 bug
The vendored storage library has a bug in parseMountedFiles where
groupFile path is incorrectly used as a directory path. Set an
explicit Size=65536 in AutoUserNsOpts to bypass the buggy code path.
With these fixes, all userns=auto tests in 170-run-userns.bats now pass
in rootless mode.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
a85faf236d