summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-01-18 17:12:23 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-01-18 17:12:28 +0100
commit8156f8c69473f8a7f970ca4f1b4a5f01a99d368a (patch)
tree80d656d4d77330e58604377480f6cc00ccb2217f
parenta2ab36d0d115718b5d08ccca9ff567de1d3db20a (diff)
downloadpodman-8156f8c69473f8a7f970ca4f1b4a5f01a99d368a.tar.gz
podman-8156f8c69473f8a7f970ca4f1b4a5f01a99d368a.tar.bz2
podman-8156f8c69473f8a7f970ca4f1b4a5f01a99d368a.zip
rootless: fix --pid=host without --privileged
When using --pid=host don't try to cover /proc paths, as they are coming from the /proc bind mounted from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/spec/spec.go4
-rw-r--r--test/e2e/rootless_test.go4
2 files changed, 8 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 9ef0223f2..46105af4a 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -376,6 +376,10 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
}
func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) {
+ if config.PidMode.IsHost() && rootless.IsRootless() {
+ return
+ }
+
if !config.Privileged {
for _, mp := range []string{
"/proc/acpi",
diff --git a/test/e2e/rootless_test.go b/test/e2e/rootless_test.go
index daf8b8c32..2b84d34c9 100644
--- a/test/e2e/rootless_test.go
+++ b/test/e2e/rootless_test.go
@@ -276,6 +276,10 @@ var _ = Describe("Podman rootless", func() {
runRootlessHelper([]string{"--net", "host"})
})
+ It("podman rootless rootfs --pid host", func() {
+ runRootlessHelper([]string{"--pid", "host"})
+ })
+
It("podman rootless rootfs --privileged", func() {
runRootlessHelper([]string{"--privileged"})
})