Shared IPC namespace between rootless containers started by different users

[ewee33]

Hello, I want to know if the following is possible with podman: starting multiple rootless containers as different users that all join the same IPC namespace.

I want to have multiple rootless containers that are started by different users, and I want them to be able to communicate with each other via POSIX message queues that exist on the host. I want this communication to occur in a non-host IPC namespace to limit container access to shared memory.

I've tried accomplishing this design but have been unsuccessful. If I create the IPC namespace as the root user (e.g., sudo unshare --ipc=/tmp/ns1), then rootless containers are unable to join it (I see different error messages depending on if I use runc or crun):

$ podman run --ipc=ns:/tmp/ns1 --rm -it ubi8
Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...

$ podman --runtime=crun run --ipc=ns:/tmp/ns1 --rm -it ubi8
Error: crun: cannot setns `/tmp/ns1`: Operation not permitted: OCI permission denied

I see the same errors when the IPC namespace is created as my own user (e.g., running unshare --ipc=/tmp/ns2 on the host as my own user with the CAP_SYS_ADMIN capability). I've also tried executing podman with the CAP_SYS_ADMIN capability, giving podman, crun, runc, and conmon CAP_SYS_ADMIN (e.g., setcap cap_sys_admin+ie /usr/bin/<binary>)

The only way I have been successful in getting a rootless container to join an IPC namespace is if that IPC namespace is created within that rootless user's default user namespace (e.g., podman unshare unshare --ipc=/tmp/ns3). However, that has the effect of rootless containers started by other users being unable to join that IPC namespace.

I want to know if this design is possible to achieve. Is there something I'm missing? Is this intended behavior? Or is this a limitation of podman?

[Luap99]

That is impossible, the kernel will now allow namespaces created in user namespace (a) to be joined from another user namespace (b) unless b is a parent of a, see user_namespaces(7) for how capabilities work with user namespaces.

Adding cap_sys_admin to podman is bad idea for security, the "real" (in the inital user namespace) cap_sys_admin is so powerful you might as we run as root.
Rootless podman however will always create/join its own user namespace. And when joining a user namesapce all capabilities from the parent namesapce are dropped and you gain all namespaced capabilities instead. So podman then no longer has the cap_sys_admin file cap that would apply on the init namespace.

So in short you must run the containers as same user to share a ipc namespace.