diff --git a/server/container_create.go b/server/container_create.go index ba9df0d6..d401a0ea 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -769,10 +769,20 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, logrus.Debugf("pod container state %+v", podInfraState) ipcNsPath := fmt.Sprintf("/proc/%d/ns/ipc", podInfraState.Pid) - if err := specgen.AddOrReplaceLinuxNamespace("ipc", ipcNsPath); err != nil { + if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.IPCNamespace), ipcNsPath); err != nil { return nil, err } + utsNsPath := fmt.Sprintf("/proc/%d/ns/uts", podInfraState.Pid) + if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.UTSNamespace), utsNsPath); err != nil { + return nil, err + } + + // Do not share pid ns for now + if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostPid() { + specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace)) + } + netNsPath := sb.NetNsPath() if netNsPath == "" { // The sandbox does not have a permanent namespace, @@ -780,7 +790,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid) } - if err := specgen.AddOrReplaceLinuxNamespace("network", netNsPath); err != nil { + if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); err != nil { return nil, err } diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 0bebef84..20a10d1e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -16,6 +16,7 @@ import ( "github.com/kubernetes-incubator/cri-o/libkpod/sandbox" "github.com/kubernetes-incubator/cri-o/oci" "github.com/kubernetes-incubator/cri-o/pkg/annotations" + runtimespec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -424,7 +425,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // set up namespaces if hostNetwork { - err = g.RemoveLinuxNamespace("network") + err = g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) if err != nil { return nil, err } @@ -445,21 +446,21 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest }() // Pass the created namespace path to the runtime - err = g.AddOrReplaceLinuxNamespace("network", sb.NetNsPath()) + err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath()) if err != nil { return nil, err } } - if namespaceOptions.HostPid { - err = g.RemoveLinuxNamespace("pid") + if securityContext.GetNamespaceOptions().GetHostPid() { + err = g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace)) if err != nil { return nil, err } } - if namespaceOptions.HostIpc { - err = g.RemoveLinuxNamespace("ipc") + if securityContext.GetNamespaceOptions().GetHostIpc() { + err = g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace)) if err != nil { return nil, err }