Skip to content

Commit

Permalink
libpod: fix volume copyup with idmap
Browse files Browse the repository at this point in the history
if idmap is specified for a volume, reverse the mappings when copying
up from the container, so that the original permissions are maintained.

Closes: #23467

Signed-off-by: Giuseppe Scrivano <[email protected]>
(cherry picked from commit 3ae1568)
  • Loading branch information
giuseppe committed Jan 10, 2025
1 parent e40738b commit 941c489
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
5 changes: 5 additions & 0 deletions libpod/container_internal.go
Original file line number Diff line number Diff line change
Expand Up @@ -1924,6 +1924,11 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string)
getOptions := copier.GetOptions{
KeepDirectoryNames: false,
}
// If the volume is idmapped, we need to "undo" the idmapping
if slices.Contains(v.Options, "idmap") {
getOptions.UIDMap = c.config.IDMappings.UIDMap
getOptions.GIDMap = c.config.IDMappings.GIDMap
}
errChan <- copier.Get(srcDir, "", getOptions, []string{"/."}, writer)
}()

Expand Down
8 changes: 7 additions & 1 deletion test/system/030-run.bats
Original file line number Diff line number Diff line change
Expand Up @@ -1253,7 +1253,7 @@ EOF
fi
}

@test "podman run - rootfs with idmapped mounts" {
@test "podman run - idmapped mounts" {
skip_if_rootless "idmapped mounts work only with root for now"

skip_if_remote "userns=auto is set on the server"
Expand Down Expand Up @@ -1295,6 +1295,12 @@ EOF
is "$output" "0:0"
run_podman volume rm $myvolume

# verify that copyup with an idmap volume maintains the original ownership
myvolume=my-volume-$(safename)
run_podman run --rm --uidmap=0:1000:10000 -v $myvolume:/etc:idmap $IMAGE stat -c %u:%g /etc/passwd
is "$output" "0:0"
run_podman volume rm $myvolume

rm -rf $romount
}

Expand Down

0 comments on commit 941c489

Please sign in to comment.