generate: Add --user and consolidate user-namespace handling

Put this in setupNamespaces with the other namespaces.  This commit
allows users to:

* Join an existing user namespace with --user=path/to/ns.
* Create a new user namespace without mapping IDs (although this is
  likely not very useful).
* Clear a templated user namespace with --user=host (although without
  being able to clear the ID mappings, this may not be very useful).

I haven't checked for likely-invalid configuration like:

  --uidmappings=1000:0:1 --user=path/to/ns

We can add that in a follow-up commit if we want.

Signed-off-by: W. Trevor King <[email protected]>

Author: wking

generate.go

@@ -31,6 +31,7 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "mount", Usage: "mount namespace"},
 	cli.StringFlag{Name: "pid", Usage: "pid namespace"},
 	cli.StringFlag{Name: "ipc", Usage: "ipc namespace"},
+	cli.StringFlag{Name: "user", Usage: "user namespace"},
 	cli.StringFlag{Name: "uts", Usage: "uts namespace"},
 	cli.StringFlag{Name: "selinux-label", Usage: "process selinux label"},
 	cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"},
@@ -463,10 +464,6 @@ func addIDMappings(spec *rspec.Spec, context *cli.Context) error {
 		}
 	}
 
-	if len(context.StringSlice("uidmappings")) > 0 || len(context.StringSlice("gidmappings")) > 0 {
-		spec.Linux.Namespaces = append(spec.Linux.Namespaces, rspec.Namespace{Type: "user"})
-	}
-
 	return nil
 }
 
@@ -660,9 +657,14 @@ func mapStrToNamespace(ns string, path string) rspec.Namespace {
 }
 
 func setupNamespaces(spec *rspec.Spec, context *cli.Context) {
-	namespaces := []string{"network", "pid", "mount", "ipc", "uts"}
+	var needsNewUser = false
+	if len(context.StringSlice("uidmappings")) > 0 || len(context.StringSlice("gidmappings")) > 0 {
+		needsNewUser = true
+	}
+
+	namespaces := []string{"network", "pid", "mount", "ipc", "uts", "user"}
 	for _, nsName := range namespaces {
-		if !context.IsSet(nsName) {
+		if !context.IsSet(nsName) && !(needsNewUser && nsName == "user") {
 			continue
 		}
 		nsPath := context.String(nsName)

man/ocitools-generate.1.md

@@ -57,7 +57,7 @@ inside of the container.
   Gid for the process inside of container
 
 **--gidmappings**=GIDMAPPINGS
-  Add GIDMappings e.g HostID:ContainerID:Size for use with User Namespace
+  Add GIDMappings e.g HostID:ContainerID:Size.  Implies **-user=**.
 
 **--groups**=GROUP
   Supplementary groups for the processes inside of container
@@ -191,7 +191,12 @@ inside of the container.
   Sets the UID used within the container.
 
 **--uidmappings**
-  Add UIDMappings e.g HostUID:ContainerID:Size for use with User Namespace
+  Add UIDMappings e.g HostUID:ContainerID:Size.  Implies **--user=**.
+
+**--user**=[*PATH*]
+  Use a user namespace.  If *PATH* is set, join that namespace.  If it
+  is unset, create a new namespace.  The special *PATH* `host` removes
+  any existing user namespace from the configuration.
 
 **--uts**=[*PATH*]
   Use a UTS namespace.  If *PATH* is set, join that namespace.  If it