aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-09-16 16:40:41 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-09-16 16:42:11 +0200
commit7c3428de26f12c6c31985310d785200f7c212d09 (patch)
tree049b9b79528bd8991c44cdf15308a9028f455a78
parenta1970e1915fa99c1893bccd3a71a11d2bff77602 (diff)
downloadpodman-7c3428de26f12c6c31985310d785200f7c212d09.tar.gz
podman-7c3428de26f12c6c31985310d785200f7c212d09.tar.bz2
podman-7c3428de26f12c6c31985310d785200f7c212d09.zip
networking: use --enable-sandbox if available
if slirp4netns supports sandboxing, enable it. It automatically creates a new mount namespace where slirp4netns will run and have limited access to the host resources. It needs slirp4netns 0.4.1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--libpod/networking_linux.go11
1 files changed, 7 insertions, 4 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index fd14b2f73..67dd0150b 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -127,13 +127,13 @@ type slirp4netnsCmd struct {
Args slirp4netnsCmdArg `json:"arguments"`
}
-func checkSlirpFlags(path string) (bool, bool, error) {
+func checkSlirpFlags(path string) (bool, bool, bool, error) {
cmd := exec.Command(path, "--help")
out, err := cmd.CombinedOutput()
if err != nil {
- return false, false, err
+ return false, false, false, err
}
- return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil
+ return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil
}
// Configure the network namespace for a rootless container
@@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
if havePortMapping {
cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID))
}
- dhp, mtu, err := checkSlirpFlags(path)
+ dhp, mtu, sandbox, err := checkSlirpFlags(path)
if err != nil {
return errors.Wrapf(err, "error checking slirp4netns binary %s", path)
}
@@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) {
if mtu {
cmdArgs = append(cmdArgs, "--mtu", "65520")
}
+ if sandbox {
+ cmdArgs = append(cmdArgs, "--enable-sandbox")
+ }
cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0")
cmd := exec.Command(path, cmdArgs...)