From 156e21ddf9545a8d0a7e184e2c7233569ff30476 Mon Sep 17 00:00:00 2001
From: umohnani8 <umohnani@redhat.com>
Date: Wed, 28 Feb 2018 16:41:11 -0500
Subject: [PATCH] Enable per pod PID namespace setting

If the pid namespace mode is set to POD, then the container's namespace
should be set to the namespace of the pod infra container.

Signed-off-by: umohnani8 <umohnani@redhat.com>
---
 cmd/crio/config.go         |  3 ---
 cmd/crio/main.go           |  7 -------
 docs/crio.8.md             |  2 --
 docs/crio.conf.5.md        |  3 ---
 lib/config.go              |  3 ---
 server/container_create.go |  2 +-
 test/helpers.bash          |  4 +---
 test/namespaces.bats       | 19 ++++++-------------
 8 files changed, 8 insertions(+), 35 deletions(-)

diff --git a/cmd/crio/config.go b/cmd/crio/config.go
index 2564baf1..907e9918 100644
--- a/cmd/crio/config.go
+++ b/cmd/crio/config.go
@@ -114,9 +114,6 @@ default_mounts = [
 # pids_limit is the number of processes allowed in a container
 pids_limit = {{ .PidsLimit }}
 
-# enable using a shared PID namespace for containers in a pod
-enable_shared_pid_namespace = {{ .EnableSharedPIDNamespace }}
-
 # log_size_max is the max limit for the container log size in bytes.
 # Negative values indicate that no limit is imposed.
 log_size_max = {{ .LogSizeMax }}
diff --git a/cmd/crio/main.go b/cmd/crio/main.go
index 2425a57c..f27ab374 100644
--- a/cmd/crio/main.go
+++ b/cmd/crio/main.go
@@ -131,9 +131,6 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("pids-limit") {
 		config.PidsLimit = ctx.GlobalInt64("pids-limit")
 	}
-	if ctx.GlobalIsSet("enable-shared-pid-namespace") {
-		config.EnableSharedPIDNamespace = ctx.GlobalBool("enable-shared-pid-namespace")
-	}
 	if ctx.GlobalIsSet("log-size-max") {
 		config.LogSizeMax = ctx.GlobalInt64("log-size-max")
 	}
@@ -299,10 +296,6 @@ func main() {
 			Value: lib.DefaultPidsLimit,
 			Usage: "maximum number of processes allowed in a container",
 		},
-		cli.BoolFlag{
-			Name:  "enable-shared-pid-namespace",
-			Usage: "enable using a shared PID namespace for containers in a pod",
-		},
 		cli.Int64Flag{
 			Name:  "log-size-max",
 			Value: lib.DefaultLogSizeMax,
diff --git a/docs/crio.8.md b/docs/crio.8.md
index 8408978b..be2b159d 100644
--- a/docs/crio.8.md
+++ b/docs/crio.8.md
@@ -94,8 +94,6 @@ crio [GLOBAL OPTIONS] config [OPTIONS]
 
 **--pids-limit**="": Maximum number of processes allowed in a container (default: 1024)
 
-**--enable-shared-pid-namespace**="": Enable using a shared PID namespace for containers in a pod (default: false)
-
 **--root**="": The crio root dir (default: "/var/lib/containers/storage")
 
 **--registry**="": Registry host which will be prepended to unqualified images, can be specified multiple times
diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
index 708f26e7..c2f3f358 100644
--- a/docs/crio.conf.5.md
+++ b/docs/crio.conf.5.md
@@ -87,9 +87,6 @@ Example:
 **pids_limit**=""
   Maximum number of processes allowed in a container (default: 1024)
 
-**enable_shared_pid_namespace**=""
-  Enable using a shared PID namespace for containers in a pod (default: false)
-
 **runtime**=""
   OCI runtime path (default: "/usr/bin/runc")
 
diff --git a/lib/config.go b/lib/config.go
index 6a63b2b0..d46ff095 100644
--- a/lib/config.go
+++ b/lib/config.go
@@ -121,9 +121,6 @@ type RuntimeConfig struct {
 	// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
 	NoPivot bool `toml:"no_pivot"`
 
-	// EnableSharePidNamespace instructs the runtime to enable share pid namespace
-	EnableSharedPIDNamespace bool `toml:"enable_shared_pid_namespace"`
-
 	// Conmon is the path to conmon binary, used for managing the runtime.
 	Conmon string `toml:"conmon"`
 
diff --git a/server/container_create.go b/server/container_create.go
index e815a14f..3129cac8 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -1000,7 +1000,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_NODE {
 		// kubernetes PodSpec specify to use Host PID namespace
 		specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
-	} else if s.config.EnableSharedPIDNamespace {
+	} else if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetPid() == pb.NamespaceMode_POD {
 		// share Pod PID namespace
 		pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", podInfraState.Pid)
 		if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {
diff --git a/test/helpers.bash b/test/helpers.bash
index db890c35..6a84b60e 100644
--- a/test/helpers.bash
+++ b/test/helpers.bash
@@ -56,8 +56,6 @@ IMAGE_VOLUMES=${IMAGE_VOLUMES:-mkdir}
 PIDS_LIMIT=${PIDS_LIMIT:-1024}
 # Log size max limit
 LOG_SIZE_MAX_LIMIT=${LOG_SIZE_MAX_LIMIT:--1}
-# enable share container pid namespace
-ENABLE_SHARED_PID_NAMESPACE=${ENABLE_SHARED_PID_NAMESPACE:-false}
 
 TESTDIR=$(mktemp -d)
 
@@ -217,7 +215,7 @@ function start_crio() {
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/image-volume-test:latest --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json
-	"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --enable-shared-pid-namespace=${ENABLE_SHARED_PID_NAMESPACE} --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
+	"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
 
 	# Prepare the CNI configuration files, we're running with non host networking by default
 	if [[ -n "$4" ]]; then
diff --git a/test/namespaces.bats b/test/namespaces.bats
index 79c923f4..f8cc0fad 100644
--- a/test/namespaces.bats
+++ b/test/namespaces.bats
@@ -6,14 +6,15 @@ function teardown() {
 	cleanup_test
 }
 
-function pid_namespace_test() {
+@test "pid_namespace_mode_pod_test" {
 	start_crio
-
-	run crictl runp "$TESTDATA"/sandbox_config.json
+	pidNamespaceMode=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["namespace_options"]["pid"] = 0; json.dump(obj, sys.stdout)')
+	echo "$pidNamespaceMode" > "$TESTDIR"/sandbox_pidnamespacemode_config.json
+	run crictl runp "$TESTDIR"/sandbox_pidnamespacemode_config.json
 	echo "$output"
 	[ "$status" -eq 0 ]
 	pod_id="$output"
-	run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
+	run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox_pidnamespacemode_config.json
 	echo "$output"
 	[ "$status" -eq 0 ]
 	ctr_id="$output"
@@ -23,7 +24,7 @@ function pid_namespace_test() {
 	run crictl exec --sync "$ctr_id" cat /proc/1/cmdline
 	echo "$output"
 	[ "$status" -eq 0 ]
-	[[ "$output" =~ "${EXPECTED_INIT:-redis}" ]]
+	[[ "$output" =~ pause ]]
 
 	run crictl stopp "$pod_id"
 	echo "$output"
@@ -35,11 +36,3 @@ function pid_namespace_test() {
 	cleanup_pods
 	stop_crio
 }
-
-@test "pod disable shared pid namespace" {
-	ENABLE_SHARED_PID_NAMESPACE=false pid_namespace_test
-}
-
-@test "pod enable shared pid namespace" {
-	ENABLE_SHARED_PID_NAMESPACE=true EXPECTED_INIT=pause pid_namespace_test
-}