Return usernsmode=private for autons from inspect

libpod/container_inspect_linux.go

@@ -292,6 +292,13 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC
 				}
 			}
 		}
+
+		// If userns=auto, setting up the namespace is deferred until the container
+		// is created. If the container is configured, check if it is going to have a
+		// private userns and return accordingly
+		if c.state.State == define.ContainerStateConfigured && c.config.IDMappings.AutoUserNs {
+			usernsMode = "private"
+		}
 	}
 	hostConfig.UsernsMode = usernsMode
 	if c.config.IDMappings.UIDMap != nil && c.config.IDMappings.GIDMap != nil {

libpod/container_internal_common.go

@@ -683,7 +683,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 		}
 	}
 
-	// Add shared namespaces from other containers
+	// Add shared namespaces from other containers. Also handles userns=auto
 	if err := c.addSharedNamespaces(&g); err != nil {
 		return nil, nil, err
 	}

test/apiv2/20-containers.at

@@ -966,6 +966,24 @@ for runtime in "${oci_runtimes[@]}"; do
     t DELETE containers/$cid 204
 done
 
+# 27998: make sure a created (and not started) container with userns=auto shows
+# UsernsMode = private before being started
+
+t POST libpod/containers/create \
+  image=$IMAGE \
+  UserNS='{"NSMode":"auto"}' \
+  IDMappings='{"AutoUserNs":true,"AutoUserNsOpts":{"AdditionalUIDMappings":[],"AdditionalGIDMappings":[],"PasswdFile":"","GroupFile":"","InitialSize":0,"Size":0}}' \
+  201
+cid=$(jq -r '.Id' <<<"$output")
+
+t GET libpod/containers/$cid/json \
+  200 \
+  .HostConfig.UsernsMode='private'
+
+t DELETE libpod/containers/$cid 200 .[0].Id=$cid
+
+
+# clean up
 podman rmi -f $IMAGE
 
 # Test health status in /containers/json (GH #27786)