From b7c772695b444699c18a9a886743235670587ad2 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 1 Aug 2024 17:48:00 +0200 Subject: [PATCH] libpod: fix volume copyup with idmap if idmap is specified for a volume, reverse the mappings when copying up from the container, so that the original permissions are maintained. Closes: https://github.com/containers/podman/issues/23467 Signed-off-by: Giuseppe Scrivano (cherry picked from commit 3ae15689333ce4d1dd6f9fec70f8297ccc39f931) --- libpod/container_internal.go | 5 +++++ test/system/030-run.bats | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 3f354c5a93..0785314b01 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1925,6 +1925,11 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string) getOptions := copier.GetOptions{ KeepDirectoryNames: false, } + // If the volume is idmapped, we need to "undo" the idmapping + if slices.Contains(v.Options, "idmap") { + getOptions.UIDMap = c.config.IDMappings.UIDMap + getOptions.GIDMap = c.config.IDMappings.GIDMap + } errChan <- copier.Get(srcDir, "", getOptions, []string{"/."}, writer) }() diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 4080a15792..7b3926e551 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1232,7 +1232,7 @@ EOF fi } -@test "podman run - rootfs with idmapped mounts" { +@test "podman run - idmapped mounts" { skip_if_rootless "idmapped mounts work only with root for now" skip_if_remote "userns=auto is set on the server" @@ -1274,6 +1274,12 @@ EOF is "$output" "0:0" run_podman volume rm $myvolume + # verify that copyup with an idmap volume maintains the original ownership + myvolume=my-volume-$(safename) + run_podman run --rm --uidmap=0:1000:10000 -v $myvolume:/etc:idmap $IMAGE stat -c %u:%g /etc/passwd + is "$output" "0:0" + run_podman volume rm $myvolume + rm -rf $romount }