Apply fixes for user mapping

nezhar · nezhar · commit ba9bc1cd333a · 2026-04-09T19:30:04.000Z
diff --git a/src/vibepod/core/docker.py b/src/vibepod/core/docker.py
@@ -122,6 +122,27 @@ def _prepare_volume_dir(self, path: Path) -> None:
         except OSError:
             pass
 
+    def _resolved_userns_mode(self, userns_mode: str | None) -> str | None:
+        """Normalize user namespace modes per runtime.
+
+        Podman supports modes like ``keep-id`` that Docker rejects, so only
+        forward values that make sense for the selected runtime.
+        """
+        if userns_mode is None:
+            return None
+
+        normalized = userns_mode.strip().lower()
+        if not normalized:
+            return None
+
+        if self.runtime == RUNTIME_PODMAN:
+            return normalized if normalized in {"auto", "keep-id", "nomap"} else None
+
+        if normalized in {"auto", "keep-id", "nomap"}:
+            return None
+
+        return normalized
+
     def _run_container(self, **kwargs: Any) -> Any:
         """Create and start a container via the high-level SDK."""
         return self.client.containers.run(**kwargs)
@@ -254,6 +275,7 @@ def run_agent(
             volumes.extend(f"{host}:{bind}:{mode}" for host, bind, mode in extra_volumes)
 
         try:
+            resolved_userns_mode = self._resolved_userns_mode(userns_mode)
             run_kwargs: dict[str, Any] = {
                 "image": image,
                 "name": container_name,
@@ -274,8 +296,8 @@ def run_agent(
                 run_kwargs["entrypoint"] = entrypoint
             if user:
                 run_kwargs["user"] = user
-            if userns_mode:
-                run_kwargs["userns_mode"] = userns_mode
+            if resolved_userns_mode:
+                run_kwargs["userns_mode"] = resolved_userns_mode
 
             return self._run_container(**run_kwargs)
         except APIError as exc:
@@ -346,6 +368,7 @@ def ensure_datasette(
             logs_db_container_path = f"/mount/logs/{logs_db_path.name}"
             proxy_db_container_path = f"/mount/proxy/{proxy_db_path.name}"
 
+        resolved_userns_mode = self._resolved_userns_mode(userns_mode)
         run_kwargs: dict[str, Any] = {
             "image": image,
             "name": "vibepod-datasette",
@@ -359,8 +382,8 @@ def ensure_datasette(
             "volumes": volumes,
             "ports": {"8001/tcp": port},
         }
-        if userns_mode:
-            run_kwargs["userns_mode"] = userns_mode
+        if resolved_userns_mode:
+            run_kwargs["userns_mode"] = resolved_userns_mode
 
         return self._run_container(**run_kwargs)
 
@@ -413,13 +436,14 @@ def ensure_proxy(
             "network": network,
         }
 
+        resolved_userns_mode = self._resolved_userns_mode(userns_mode)
         if self.runtime != RUNTIME_PODMAN:
             getuid = getattr(os, "getuid", None)
             getgid = getattr(os, "getgid", None)
             if callable(getuid) and callable(getgid):
                 run_kwargs["user"] = f"{getuid()}:{getgid()}"
-        if userns_mode:
-            run_kwargs["userns_mode"] = userns_mode
+        if resolved_userns_mode:
+            run_kwargs["userns_mode"] = resolved_userns_mode
 
         container = self._run_container(**run_kwargs)
         try:
diff --git a/tests/test_proxy_permissions.py b/tests/test_proxy_permissions.py
@@ -51,7 +51,7 @@ def _fail_replace(src: str, dst: str) -> None:
     assert updated is False
 
 
-def test_ensure_proxy_runs_container_as_current_user_and_forwards_userns_mode(
+def test_ensure_proxy_runs_container_as_current_user_and_omits_podman_userns_mode_on_docker(
     tmp_path: Path, monkeypatch
 ) -> None:
     class _FakeContainers:
@@ -87,7 +87,7 @@ def __init__(self) -> None:
     run_kwargs = manager.client.containers.run_kwargs  # type: ignore[union-attr]
     assert run_kwargs is not None
     assert run_kwargs["user"] == "1234:2345"
-    assert run_kwargs["userns_mode"] == "keep-id"
+    assert "userns_mode" not in run_kwargs
     assert "ports" not in run_kwargs
     assert db_path.parent.exists()
     assert ca_dir.exists()
@@ -127,6 +127,74 @@ def __init__(self) -> None:
     assert run_kwargs["userns_mode"] == "keep-id"
 
 
+def test_ensure_datasette_omits_podman_userns_mode_on_docker(tmp_path: Path, monkeypatch) -> None:
+    class _FakeContainers:
+        def __init__(self) -> None:
+            self.run_kwargs: dict | None = None
+
+        def run(self, **kwargs):
+            self.run_kwargs = kwargs
+            return {"id": "datasette"}
+
+    class _FakeClient:
+        def __init__(self) -> None:
+            self.containers = _FakeContainers()
+
+    manager = object.__new__(DockerManager)
+    manager.client = _FakeClient()  # type: ignore[assignment]
+    manager.runtime = "docker"
+
+    monkeypatch.setattr(DockerManager, "find_datasette", lambda self: None)
+
+    logs_db_path = tmp_path / "logs" / "logs.db"
+    proxy_db_path = tmp_path / "proxy" / "proxy.db"
+    manager.ensure_datasette(
+        image="vibepod/datasette:latest",
+        logs_db_path=logs_db_path,
+        proxy_db_path=proxy_db_path,
+        port=8001,
+        userns_mode="keep-id",
+    )
+
+    run_kwargs = manager.client.containers.run_kwargs  # type: ignore[union-attr]
+    assert run_kwargs is not None
+    assert "userns_mode" not in run_kwargs
+
+
+def test_ensure_proxy_forwards_podman_userns_mode(tmp_path: Path, monkeypatch) -> None:
+    class _FakeContainers:
+        def __init__(self) -> None:
+            self.run_kwargs: dict | None = None
+
+        def run(self, **kwargs):
+            self.run_kwargs = kwargs
+            return {"id": "proxy"}
+
+    class _FakeClient:
+        def __init__(self) -> None:
+            self.containers = _FakeContainers()
+
+    manager = object.__new__(DockerManager)
+    manager.client = _FakeClient()  # type: ignore[assignment]
+    manager.runtime = "podman"
+
+    monkeypatch.setattr(DockerManager, "find_proxy", lambda self: None)
+
+    db_path = tmp_path / "proxy" / "proxy.db"
+    ca_dir = tmp_path / "proxy" / "mitmproxy"
+    manager.ensure_proxy(
+        image="vibepod/proxy:latest",
+        db_path=db_path,
+        ca_dir=ca_dir,
+        network="vibepod-network",
+        userns_mode="keep-id",
+    )
+
+    run_kwargs = manager.client.containers.run_kwargs  # type: ignore[union-attr]
+    assert run_kwargs is not None
+    assert run_kwargs["userns_mode"] == "keep-id"
+
+
 def test_ensure_proxy_connects_existing_proxy_to_requested_network(monkeypatch) -> None:
     connected: list[tuple[object, str]] = []
 
diff --git a/tests/test_run.py b/tests/test_run.py
@@ -185,6 +185,90 @@ def __init__(self) -> None:
     assert run_kwargs["userns_mode"] == "keep-id"
 
 
+def test_run_agent_omits_podman_userns_mode_for_docker(tmp_path: Path) -> None:
+    class _FakeContainers:
+        def __init__(self) -> None:
+            self.run_kwargs: dict | None = None
+
+        def run(self, **kwargs):
+            self.run_kwargs = kwargs
+            return {"id": "agent"}
+
+    class _FakeClient:
+        def __init__(self) -> None:
+            self.containers = _FakeContainers()
+
+    manager = object.__new__(DockerManager)
+    manager.client = _FakeClient()  # type: ignore[assignment]
+    manager.runtime = "docker"
+
+    workspace = tmp_path / "workspace"
+    config_dir = tmp_path / "agents" / "claude"
+    workspace.mkdir(parents=True, exist_ok=True)
+    config_dir.mkdir(parents=True, exist_ok=True)
+
+    manager.run_agent(
+        agent="claude",
+        image="vibepod/claude:latest",
+        workspace=workspace,
+        config_dir=config_dir,
+        config_mount_path="/claude",
+        env={},
+        command=["claude"],
+        auto_remove=True,
+        name=None,
+        version="0.2.1",
+        network="vibepod-network",
+        userns_mode="keep-id",
+    )
+
+    run_kwargs = manager.client.containers.run_kwargs  # type: ignore[union-attr]
+    assert run_kwargs is not None
+    assert "userns_mode" not in run_kwargs
+
+
+def test_run_agent_preserves_host_userns_mode_for_docker(tmp_path: Path) -> None:
+    class _FakeContainers:
+        def __init__(self) -> None:
+            self.run_kwargs: dict | None = None
+
+        def run(self, **kwargs):
+            self.run_kwargs = kwargs
+            return {"id": "agent"}
+
+    class _FakeClient:
+        def __init__(self) -> None:
+            self.containers = _FakeContainers()
+
+    manager = object.__new__(DockerManager)
+    manager.client = _FakeClient()  # type: ignore[assignment]
+    manager.runtime = "docker"
+
+    workspace = tmp_path / "workspace"
+    config_dir = tmp_path / "agents" / "claude"
+    workspace.mkdir(parents=True, exist_ok=True)
+    config_dir.mkdir(parents=True, exist_ok=True)
+
+    manager.run_agent(
+        agent="claude",
+        image="vibepod/claude:latest",
+        workspace=workspace,
+        config_dir=config_dir,
+        config_mount_path="/claude",
+        env={},
+        command=["claude"],
+        auto_remove=True,
+        name=None,
+        version="0.2.1",
+        network="vibepod-network",
+        userns_mode="host",
+    )
+
+    run_kwargs = manager.client.containers.run_kwargs  # type: ignore[union-attr]
+    assert run_kwargs is not None
+    assert run_kwargs["userns_mode"] == "host"
+
+
 def test_run_agent_forwards_entrypoint(tmp_path: Path) -> None:
     class _FakeContainers:
         def __init__(self) -> None:
