fix host pid handling for containers and share uts ns
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca
parent
3be3936d7d
commit
da725f3e5f
2 changed files with 17 additions and 6 deletions
|
|
@ -769,10 +769,20 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
logrus.Debugf("pod container state %+v", podInfraState)
|
||||
|
||||
ipcNsPath := fmt.Sprintf("/proc/%d/ns/ipc", podInfraState.Pid)
|
||||
if err := specgen.AddOrReplaceLinuxNamespace("ipc", ipcNsPath); err != nil {
|
||||
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.IPCNamespace), ipcNsPath); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
utsNsPath := fmt.Sprintf("/proc/%d/ns/uts", podInfraState.Pid)
|
||||
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.UTSNamespace), utsNsPath); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Do not share pid ns for now
|
||||
if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostPid() {
|
||||
specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
|
||||
}
|
||||
|
||||
netNsPath := sb.NetNsPath()
|
||||
if netNsPath == "" {
|
||||
// The sandbox does not have a permanent namespace,
|
||||
|
|
@ -780,7 +790,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid)
|
||||
}
|
||||
|
||||
if err := specgen.AddOrReplaceLinuxNamespace("network", netNsPath); err != nil {
|
||||
if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/runtime-tools/generate"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
|
|
@ -419,7 +420,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
|
||||
// set up namespaces
|
||||
if hostNetwork {
|
||||
err = g.RemoveLinuxNamespace("network")
|
||||
err = g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -440,21 +441,21 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}()
|
||||
|
||||
// Pass the created namespace path to the runtime
|
||||
err = g.AddOrReplaceLinuxNamespace("network", sb.NetNsPath())
|
||||
err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if securityContext.GetNamespaceOptions().GetHostPid() {
|
||||
err = g.RemoveLinuxNamespace("pid")
|
||||
err = g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if securityContext.GetNamespaceOptions().GetHostIpc() {
|
||||
err = g.RemoveLinuxNamespace("ipc")
|
||||
err = g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue