From 941c489ec2353c28587e0db37b183eebaced93f4 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 1 Aug 2024 17:48:00 +0200 Subject: [PATCH] libpod: fix volume copyup with idmap if idmap is specified for a volume, reverse the mappings when copying up from the container, so that the original permissions are maintained. Closes: https://github.com/containers/podman/issues/23467 Signed-off-by: Giuseppe Scrivano (cherry picked from commit 3ae15689333ce4d1dd6f9fec70f8297ccc39f931) --- libpod/container_internal.go | 5 +++++ test/system/030-run.bats | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 3b439d2871..b1668fcab2 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1924,6 +1924,11 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string) getOptions := copier.GetOptions{ KeepDirectoryNames: false, } + // If the volume is idmapped, we need to "undo" the idmapping + if slices.Contains(v.Options, "idmap") { + getOptions.UIDMap = c.config.IDMappings.UIDMap + getOptions.GIDMap = c.config.IDMappings.GIDMap + } errChan <- copier.Get(srcDir, "", getOptions, []string{"/."}, writer) }() diff --git a/test/system/030-run.bats b/test/system/030-run.bats index f5eb351e8a..c48fed05d5 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1253,7 +1253,7 @@ EOF fi } -@test "podman run - rootfs with idmapped mounts" { +@test "podman run - idmapped mounts" { skip_if_rootless "idmapped mounts work only with root for now" skip_if_remote "userns=auto is set on the server" @@ -1295,6 +1295,12 @@ EOF is "$output" "0:0" run_podman volume rm $myvolume + # verify that copyup with an idmap volume maintains the original ownership + myvolume=my-volume-$(safename) + run_podman run --rm --uidmap=0:1000:10000 -v $myvolume:/etc:idmap $IMAGE stat -c %u:%g /etc/passwd + is "$output" "0:0" + run_podman volume rm $myvolume + rm -rf $romount }