[WIP] podman: propagate user namespace mappings to image pull

cmd/podman/containers/create.go

@@ -401,6 +401,12 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container
 		pullOptions.RetryDelay = val
 	}
 
+	pullOptions.UserNS = cliVals.UserNS
+	pullOptions.UIDMap = cliVals.UIDMap
+	pullOptions.GIDMap = cliVals.GIDMap
+	pullOptions.SubUIDName = cliVals.SubUIDName
+	pullOptions.SubGIDName = cliVals.SubGIDName
+
 	if cliVals.Creds != "" {
 		creds, err := util.ParseRegistryCreds(cliVals.Creds)
 		if err != nil {

go.mod

@@ -66,7 +66,7 @@ require (
 	github.com/vishvananda/netlink v1.3.1
 	go.podman.io/common v0.67.1-0.20260323194312-7e1f14c29cb4
 	go.podman.io/image/v5 v5.39.2-0.20260323194312-7e1f14c29cb4
-	go.podman.io/storage v1.62.1-0.20260323194312-7e1f14c29cb4
+	go.podman.io/storage v1.62.1-0.20260323201758-04a109851e66
 	golang.org/x/crypto v0.49.0
 	golang.org/x/net v0.52.0
 	golang.org/x/sync v0.20.0
@@ -95,7 +95,7 @@ require (
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.2 // indirect
+	github.com/containerd/platforms v1.0.0-rc.3 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/containernetworking/plugins v1.9.0 // indirect
@@ -129,7 +129,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -188,3 +188,9 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect
 )
+
+replace (
+	go.podman.io/common => github.com/giuseppe/container-libs/common v0.0.0-20260327134027-2f2ff1752ec0
+	go.podman.io/image/v5 => github.com/giuseppe/container-libs/image/v5 v5.0.0-20260327134027-2f2ff1752ec0
+	go.podman.io/storage => github.com/giuseppe/container-libs/storage v0.0.0-20260327134027-2f2ff1752ec0
+)

go.sum

@@ -45,8 +45,8 @@ github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151X
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4=
-github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/platforms v1.0.0-rc.3 h1:YdvwaHtrN6wHcGJ2mYRYP3Nso8OcysuqFe9Hxm1X/tI=
+github.com/containerd/platforms v1.0.0-rc.3/go.mod h1:gw0R+alP3nFQPh1L4K9bv13fRWeeyokLGLu2fKuqI10=
 github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=
 github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
 github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
@@ -100,8 +100,8 @@ github.com/disiqueira/gotree/v3 v3.0.2 h1:ik5iuLQQoufZBNPY518dXhiO5056hyNBIK9lWh
 github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEgPLDY8Qk+uUu8=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
-github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.3.1+incompatible h1:M04FDj2TRehDacrosh7Vlkgc7AuQoWloQkf1PA5hmoI=
+github.com/docker/cli v29.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
@@ -125,6 +125,12 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fsouza/go-dockerclient v1.13.0 h1:i6VWBKrFprrqDDK6rEYw0Zp5KsN+cVlqZ/ODaIX2erM=
 github.com/fsouza/go-dockerclient v1.13.0/go.mod h1:slZeNd4OpH+YfOrTc4+fkjtq8fwKymehRReLvUVFfpI=
+github.com/giuseppe/container-libs/common v0.0.0-20260327134027-2f2ff1752ec0 h1:jLcovThLw1Z8B4HY09s+g9RBaSC5+/0dBBDdJ5cCMqY=
+github.com/giuseppe/container-libs/common v0.0.0-20260327134027-2f2ff1752ec0/go.mod h1:BeZEvRCqnBigHU1pXTwl9zOa9vnlWsN8xu8qJ3aAax0=
+github.com/giuseppe/container-libs/image/v5 v5.0.0-20260327134027-2f2ff1752ec0 h1:kUKuHWV5gRgh0LB1g59rzWNP2oW4ZxFKn2Nq2aVxg7s=
+github.com/giuseppe/container-libs/image/v5 v5.0.0-20260327134027-2f2ff1752ec0/go.mod h1:d2xLDZUX546mC7wGaRNC/FxDKTrcopsUWAIUnmRfNxY=
+github.com/giuseppe/container-libs/storage v0.0.0-20260327134027-2f2ff1752ec0 h1:rK7dkpT0hN0wzhFOXo9G6uIDRTa3xjvA54nVu90qEO4=
+github.com/giuseppe/container-libs/storage v0.0.0-20260327134027-2f2ff1752ec0/go.mod h1:FpDiADa6tAspPQXdefPDFvP4fSE9OXUFiVip+q0GjyE=
 github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
 github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
 github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
@@ -209,8 +215,8 @@ github.com/kevinburke/ssh_config v1.5.0 h1:3cPZmE54xb5j3G5xQCjSvokqNwU2uW+3ry1+P
 github.com/kevinburke/ssh_config v1.5.0/go.mod h1:q2RIzfka+BXARoNexmF9gkxEX7DmvbW9P4hIVx2Kg4M=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -431,12 +437,6 @@ go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4A
 go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
 go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
 go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
-go.podman.io/common v0.67.1-0.20260323194312-7e1f14c29cb4 h1:pIoOJdFbpFp8ivkS8cPl/+WxRJhG5dszRrk8M5eu4sg=
-go.podman.io/common v0.67.1-0.20260323194312-7e1f14c29cb4/go.mod h1:uCTWM5sPmjiUM5hC4KVE8JrLud3mUfV7RES4Fg69YpE=
-go.podman.io/image/v5 v5.39.2-0.20260323194312-7e1f14c29cb4 h1:Qh59zBJSqj2Afq51k9Q8nJq4n1GW1rj/DF8/wbYakzk=
-go.podman.io/image/v5 v5.39.2-0.20260323194312-7e1f14c29cb4/go.mod h1:3OGrMYP3EKDQq9jDRxXqFoC9rT2/oCA+4kX6dZjkQK0=
-go.podman.io/storage v1.62.1-0.20260323194312-7e1f14c29cb4 h1:TU2iLuSSPNqzX4VcsL1uVngGdWsOhg6CPrrfO1RuvvU=
-go.podman.io/storage v1.62.1-0.20260323194312-7e1f14c29cb4/go.mod h1:k8lWBDknm4IJEfY9Gy3P/wRFT8aWvtk+rPtD8FKxIBE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=

pkg/domain/entities/images.go

@@ -79,6 +79,17 @@ type ImagePullOptions struct {
 	// OciDecryptConfig contains the config that can be used to decrypt an image if it is
 	// encrypted if non-nil. If nil, it does not attempt to decrypt an image.
 	OciDecryptConfig *encconfig.DecryptConfig
+	// UserNS is the user namespace mode (e.g., "keep-id", "nomap", "host").
+	// Mappings are resolved server-side from this mode.
+	UserNS string
+	// UIDMap and GIDMap are the raw user-provided UID/GID mappings
+	// (e.g., from --uidmap/--gidmap flags).
+	UIDMap []string
+	GIDMap []string
+	// SubUIDName and SubGIDName are the user/group names for subordinate
+	// UID/GID ranges.
+	SubUIDName string
+	SubGIDName string
 }
 
 // ImagePullStatus contains the status of the image pull

pkg/domain/infra/abi/images.go

@@ -23,6 +23,8 @@ import (
 	"github.com/containers/buildah/pkg/volumes"
 	"github.com/containers/podman/v6/libpod/define"
 	"github.com/containers/podman/v6/pkg/domain/entities"
+	"github.com/containers/podman/v6/pkg/namespaces"
+	"github.com/containers/podman/v6/pkg/util"
 	"github.com/containers/podman/v6/pkg/domain/entities/reports"
 	domainUtils "github.com/containers/podman/v6/pkg/domain/utils"
 	"github.com/containers/podman/v6/pkg/errorhandling"
@@ -294,6 +296,36 @@ func (ir *ImageEngine) Pull(ctx context.Context, rawImage string, options entiti
 	pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify
 	pullOptions.Writer = options.Writer
 	pullOptions.OciDecryptConfig = options.OciDecryptConfig
+	if options.UserNS != "" {
+		usernsMode := namespaces.UsernsMode(options.UserNS)
+		switch {
+		case usernsMode.IsKeepID():
+			keepIDOpts, err := usernsMode.GetKeepIDOptions()
+			if err != nil {
+				return nil, err
+			}
+			mapping, _, _, err := util.GetKeepIDMapping(keepIDOpts)
+			if err != nil {
+				return nil, err
+			}
+			pullOptions.UIDMap = mapping.UIDMap
+			pullOptions.GIDMap = mapping.GIDMap
+		case usernsMode.IsNoMap():
+			mapping, _, _, err := util.GetNoMapMapping()
+			if err != nil {
+				return nil, err
+			}
+			pullOptions.UIDMap = mapping.UIDMap
+			pullOptions.GIDMap = mapping.GIDMap
+		default:
+			mapping, err := util.ParseIDMapping(usernsMode, options.UIDMap, options.GIDMap, options.SubUIDName, options.SubGIDName)
+			if err != nil {
+				return nil, err
+			}
+			pullOptions.UIDMap = mapping.UIDMap
+			pullOptions.GIDMap = mapping.GIDMap
+		}
+	}
 	pullOptions.MaxRetries = options.Retry
 
 	if options.RetryDelay != "" {

test/system/170-run-userns.bats

@@ -204,3 +204,35 @@ EOF
 
     run_podman rm -f $cname
 }
+
+# CANNOT BE PARALLELIZED because other tests may use $NONLOCAL_IMAGE
+@test "podman run --userns=keep-id does not create mapped layers" {
+    skip_if_not_rootless "keep-id mapped layers only relevant for rootless"
+    skip_if_remote "reads local storage files"
+
+    NONLOCAL_IMAGE="$PODMAN_NONLOCAL_IMAGE_FQN"
+
+    run_podman '?' rmi -f $NONLOCAL_IMAGE
+    run_podman 1 image exists $NONLOCAL_IMAGE
+
+    run_podman run --rm --userns=keep-id $NONLOCAL_IMAGE true
+
+    run_podman image inspect --format '{{.Id}}' $NONLOCAL_IMAGE
+    local image_id="${output#sha256:}"
+
+    run_podman info --format '{{.Store.GraphRoot}}'
+    local graphroot="$output"
+    run_podman info --format '{{.Store.GraphDriverName}}'
+    local graphdriver="$output"
+    local images_json="$graphroot/${graphdriver}-images/images.json"
+
+    # Verify no mapped-layers were created for this image
+    local mapped_count
+    mapped_count=$(jq --arg id "$image_id" \
+        '[.[] | select(.id == $id) | (."mapped-layers" // []) | length] | .[0] // 0' \
+        "$images_json")
+    assert "$mapped_count" == "0" \
+        "Image should have no mapped-layers (got $mapped_count)"
+
+    run_podman rmi $NONLOCAL_IMAGE
+}