From ea942caa7a6384c72bb19f5ac8a5d7afa238e9bb Mon Sep 17 00:00:00 2001
From: Riccardo Paolo Bestetti <pbl@bestov.io>
Date: Fri, 30 Jan 2026 18:36:14 +0100
Subject: [PATCH] return usernsmode=private for created containers with
 userns=auto

Signed-off-by: Riccardo Paolo Bestetti <pbl@bestov.io>
---
 libpod/container_inspect_linux.go   |  7 +++++++
 libpod/container_internal_common.go |  2 +-
 test/apiv2/20-containers.at         | 18 ++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/libpod/container_inspect_linux.go b/libpod/container_inspect_linux.go
index 12bca74f876..11e62464210 100644
--- a/libpod/container_inspect_linux.go
+++ b/libpod/container_inspect_linux.go
@@ -292,6 +292,13 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC
 				}
 			}
 		}
+
+		// If userns=auto, setting up the namespace is deferred until the container
+		// is created. If the container is configured, check if it is going to have a
+		// private userns and return accordingly
+		if c.state.State == define.ContainerStateConfigured && c.config.IDMappings.AutoUserNs {
+			usernsMode = "private"
+		}
 	}
 	hostConfig.UsernsMode = usernsMode
 	if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index baa44885bc4..d074bd410d2 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -683,7 +683,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 		}
 	}
 
-	// Add shared namespaces from other containers
+	// Add shared namespaces from other containers. Also handles userns=auto
 	if err := c.addSharedNamespaces(&g); err != nil {
 		return nil, nil, err
 	}
diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
index fe2bd6e3069..691a6f7dcc8 100644
--- a/test/apiv2/20-containers.at
+++ b/test/apiv2/20-containers.at
@@ -966,6 +966,24 @@ for runtime in "${oci_runtimes[@]}"; do
     t DELETE containers/$cid 204
 done
 
+# 27998: make sure a created (and not started) container with userns=auto shows
+# UsernsMode = private before being started
+
+t POST libpod/containers/create \
+  image=$IMAGE \
+  UserNS='{"NSMode":"auto"}' \
+  IDMappings='{"AutoUserNs":true,"AutoUserNsOpts":{"AdditionalUIDMappings":[],"AdditionalGIDMappings":[],"PasswdFile":"","GroupFile":"","InitialSize":0,"Size":0}}' \
+  201
+cid=$(jq -r '.Id' <<<"$output")
+
+t GET libpod/containers/$cid/json \
+  200 \
+  .HostConfig.UsernsMode='private'
+
+t DELETE libpod/containers/$cid 200 .[0].Id=$cid
+
+
+# clean up
 podman rmi -f $IMAGE
 
 # Test health status in /containers/json (GH #27786)