From 9480cb0a929659fb0a37acc969d501aa6429791a Mon Sep 17 00:00:00 2001
From: Christof Marti <chrmarti@microsoft.com>
Date: Fri, 16 May 2025 09:11:06 +0200
Subject: [PATCH] Fix: --uidmap/--gidmap conflict with --userns (#10954)

---
 src/spec-node/singleContainer.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/spec-node/singleContainer.ts b/src/spec-node/singleContainer.ts
index 5952e3ea4..d42b837b9 100644
--- a/src/spec-node/singleContainer.ts
+++ b/src/spec-node/singleContainer.ts
@@ -409,7 +409,7 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
 		...getLabels(labels),
 		...containerEnv,
 		...containerUserArgs,
-		...getPodmanArgs(params),
+		...getPodmanArgs(params, config),
 		...(config.runArgs || []),
 		...(await extraRunArgs(common, params, config) || []),
 		...featureArgs,
@@ -434,9 +434,14 @@ while sleep 1 & wait $!; do :; done`, '-']; // `wait $!` allows for the `trap` t
 	common.output.stop(text, start);
 }
 
-function getPodmanArgs(params: DockerResolverParameters): string[] {
+function getPodmanArgs(params: DockerResolverParameters, config: DevContainerFromDockerfileConfig | DevContainerFromImageConfig): string[] {
 	if (params.isPodman && params.common.cliHost.platform === 'linux') {
-		return ['--security-opt', 'label=disable', '--userns=keep-id'];
+		const args = ['--security-opt', 'label=disable'];
+		const hasIdMapping = (config.runArgs || []).some(arg => /--[ug]idmap(=|$)/.test(arg));
+		if (!hasIdMapping) {
+			args.push('--userns=keep-id');
+		}
+		return args;
 	}
 	return [];
 }