From da725f3e5f2368e8df25e6cf167da61cbf867b5e Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Thu, 19 Oct 2017 21:12:55 +0200
Subject: [PATCH] fix host pid handling for containers and share uts ns

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 server/container_create.go | 14 ++++++++++++--
 server/sandbox_run.go      |  9 +++++----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/server/container_create.go b/server/container_create.go
index d716fc98..611336a8 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -769,10 +769,20 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	logrus.Debugf("pod container state %+v", podInfraState)
 
 	ipcNsPath := fmt.Sprintf("/proc/%d/ns/ipc", podInfraState.Pid)
-	if err := specgen.AddOrReplaceLinuxNamespace("ipc", ipcNsPath); err != nil {
+	if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.IPCNamespace), ipcNsPath); err != nil {
 		return nil, err
 	}
 
+	utsNsPath := fmt.Sprintf("/proc/%d/ns/uts", podInfraState.Pid)
+	if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.UTSNamespace), utsNsPath); err != nil {
+		return nil, err
+	}
+
+	// Do not share pid ns for now
+	if containerConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostPid() {
+		specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace))
+	}
+
 	netNsPath := sb.NetNsPath()
 	if netNsPath == "" {
 		// The sandbox does not have a permanent namespace,
@@ -780,7 +790,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid)
 	}
 
-	if err := specgen.AddOrReplaceLinuxNamespace("network", netNsPath); err != nil {
+	if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); err != nil {
 		return nil, err
 	}
 
diff --git a/server/sandbox_run.go b/server/sandbox_run.go
index 461ba052..06f0ae91 100644
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@@ -16,6 +16,7 @@ import (
 	"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
 	"github.com/kubernetes-incubator/cri-o/oci"
 	"github.com/kubernetes-incubator/cri-o/pkg/annotations"
+	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -419,7 +420,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	// set up namespaces
 	if hostNetwork {
-		err = g.RemoveLinuxNamespace("network")
+		err = g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace))
 		if err != nil {
 			return nil, err
 		}
@@ -440,21 +441,21 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		}()
 
 		// Pass the created namespace path to the runtime
-		err = g.AddOrReplaceLinuxNamespace("network", sb.NetNsPath())
+		err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath())
 		if err != nil {
 			return nil, err
 		}
 	}
 
 	if securityContext.GetNamespaceOptions().GetHostPid() {
-		err = g.RemoveLinuxNamespace("pid")
+		err = g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace))
 		if err != nil {
 			return nil, err
 		}
 	}
 
 	if securityContext.GetNamespaceOptions().GetHostIpc() {
-		err = g.RemoveLinuxNamespace("ipc")
+		err = g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace))
 		if err != nil {
 			return nil, err
 		}