fix host pid handling for containers and share uts ns
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
a2ab0a5eb0
commit
a45c16d7fa
2 changed files with 19 additions and 8 deletions
|
@ -769,10 +769,20 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
logrus.Debugf("pod container state %+v", podInfraState)
|
logrus.Debugf("pod container state %+v", podInfraState)
|
||||||
|
|
||||||
ipcNsPath := fmt.Sprintf("/proc/%d/ns/ipc", podInfraState.Pid)
|
ipcNsPath := fmt.Sprintf("/proc/%d/ns/ipc", podInfraState.Pid)
|
||||||
if err := specgen.AddOrReplaceLinuxNamespace("ipc", ipcNsPath); err != nil {
|
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.IPCNamespace), ipcNsPath); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
utsNsPath := fmt.Sprintf("/proc/%d/ns/uts", podInfraState.Pid)
|
||||||
|
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.UTSNamespace), utsNsPath); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Do not share pid ns for now
|
||||||
|
if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostPid() {
|
||||||
|
specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
|
||||||
|
}
|
||||||
|
|
||||||
netNsPath := sb.NetNsPath()
|
netNsPath := sb.NetNsPath()
|
||||||
if netNsPath == "" {
|
if netNsPath == "" {
|
||||||
// The sandbox does not have a permanent namespace,
|
// The sandbox does not have a permanent namespace,
|
||||||
|
@ -780,7 +790,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid)
|
netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := specgen.AddOrReplaceLinuxNamespace("network", netNsPath); err != nil {
|
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||||
"github.com/kubernetes-incubator/cri-o/oci"
|
"github.com/kubernetes-incubator/cri-o/oci"
|
||||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||||
|
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
"github.com/opencontainers/selinux/go-selinux/label"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
@ -424,7 +425,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
|
|
||||||
// set up namespaces
|
// set up namespaces
|
||||||
if hostNetwork {
|
if hostNetwork {
|
||||||
err = g.RemoveLinuxNamespace("network")
|
err = g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -445,21 +446,21 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}()
|
}()
|
||||||
|
|
||||||
// Pass the created namespace path to the runtime
|
// Pass the created namespace path to the runtime
|
||||||
err = g.AddOrReplaceLinuxNamespace("network", sb.NetNsPath())
|
err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostPid {
|
if securityContext.GetNamespaceOptions().GetHostPid() {
|
||||||
err = g.RemoveLinuxNamespace("pid")
|
err = g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if namespaceOptions.HostIpc {
|
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||||
err = g.RemoveLinuxNamespace("ipc")
|
err = g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue