userns_mode option is not honoured

[vmsh0]

Hi,

It seems like userns mode is not honoured by either podman-py or the podman API.

Running podman 4.9.3 on an up-to-date Ubuntu 24.04.1 LTS virtual machine.

$ cat /etc/sub{uid,gid}
[some random username]:100000:65536
containers:2147483647:2147483648
[some random username]:100000:65536
containers:2147483647:2147483648

When creating and running the same exact container with podman-py and with the Podman CLI, it is apparent that in the former case the userns_mode='auto' option is not honoured.

I attach this test case which shows the issue clearly: https://gist.github.com/vmsh0/f32b137b6d4bf1d3dbf5b6745e92911c

One unit test creates a container using podman-py: the test fails as after inspecting the container you can see that UsernsMode is empty. The other unit test creates the same container by calling the podman CLI: in this case, the test succeeds and you can see that UsernsMode is set to 'private' as expected.

As far as I can see, this fails silently. I noticed the issue by pure chance while investigating a different problem. This might potentially have security implications, as users might be expecting their containers to run in a separate user namespace while they are really running in the root namespace.

[rhatdan]

Make sure the service side is restarted?

[vmsh0]

Make sure the service side is restarted?

I apologize, but I'm not sure I understand what you mean. If you are asking me whether I tried to restart the service to check if it would fix it, I did.

In the meanwhile, I have also noticed that the remove=True option is ignored as well. I have updated the gist to also test this. This one is simpler: the option is explicitly removed before sending off the request. The REST API does have the respective flag, and hacking the value back into the request payload with the debugger results in the container being created (and then removed) with the correct option and the test passing. Is there a special reason why the remove option is filtered out? If not, would you accept a pull request to stop filtering it out?

Finally, while trying to mitigate the remove=True option being ignored and resulting in me needing to manually clean up containers between each run of the unit tests, I have attempted setting the replace option. While the API exposes it, podman-py does not handle that option. Would you accept a pull request to handle the replace option?

I apologize for reporting everything in this issue; please do let me know if I should split the three things (userns, remove, replace) into three different issues.

[vmsh0]

Again -- sorry for going off-topic. I was under the impression that the other issues might have been related, but I no longer think that's the case. I have addressed the other issues in additional issues/PRs.

To recap where we're at, the issue I'm reporting is that, as shown by this minimal example, the userns_mode parameter is not being honored.

[vmsh0]

I have now submitted PR #499, which addresses the underlying reason for the flag not being honored.