diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-25 14:55:05 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-25 23:04:54 +0200 |
commit | ba5741e3986bff0974989a3c662895aabb329f4c (patch) | |
tree | d5261d581f327962153f08032ef91c194317c2fc | |
parent | 7c9095ea1de363f8d76ae246575062755ac9398e (diff) | |
download | podman-ba5741e3986bff0974989a3c662895aabb329f4c.tar.gz podman-ba5741e3986bff0974989a3c662895aabb329f4c.tar.bz2 podman-ba5741e3986bff0974989a3c662895aabb329f4c.zip |
pods: do not to join a userns if there is not any
do not attempt to join the user namespace if the pod is running in the
host user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | cmd/podman/shared/create.go | 15 | ||||
-rw-r--r-- | pkg/adapter/pods.go | 22 |
2 files changed, 32 insertions, 5 deletions
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 815e2d304..9578eb17d 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -282,13 +282,26 @@ func configurePod(c *GenericCLIResults, runtime *libpod.Runtime, namespaces map[ if err != nil { return namespaces, err } + hasUserns := false + if podInfraID != "" { + podCtr, err := runtime.GetContainer(podInfraID) + if err != nil { + return namespaces, err + } + mappings, err := podCtr.IDMappings() + if err != nil { + return namespaces, err + } + hasUserns = len(mappings.UIDMap) > 0 + } + if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) { namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID) } if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) { namespaces["net"] = fmt.Sprintf("container:%s", podInfraID) } - if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) { + if hasUserns && (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) { namespaces["user"] = fmt.Sprintf("container:%s", podInfraID) } if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) { diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index 5960fac60..b9d7fcd9b 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -492,14 +492,28 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa if err != nil { return nil, err } + hasUserns := false + if podInfraID != "" { + podCtr, err := r.GetContainer(podInfraID) + if err != nil { + return nil, err + } + mappings, err := podCtr.IDMappings() + if err != nil { + return nil, err + } + hasUserns = len(mappings.UIDMap) > 0 + } namespaces := map[string]string{ // Disabled during code review per mheon //"pid": fmt.Sprintf("container:%s", podInfraID), - "net": fmt.Sprintf("container:%s", podInfraID), - "user": fmt.Sprintf("container:%s", podInfraID), - "ipc": fmt.Sprintf("container:%s", podInfraID), - "uts": fmt.Sprintf("container:%s", podInfraID), + "net": fmt.Sprintf("container:%s", podInfraID), + "ipc": fmt.Sprintf("container:%s", podInfraID), + "uts": fmt.Sprintf("container:%s", podInfraID), + } + if hasUserns { + namespaces["user"] = fmt.Sprintf("container:%s", podInfraID) } if !c.Quiet { writer = os.Stderr |