diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2020-07-28 09:18:21 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-07-28 14:53:54 -0400 |
commit | bb4d269087d11623e15d1aa3c8cb197f29a601d1 (patch) | |
tree | 1927db4a75af39689b937df14c30c423f00bea08 | |
parent | 288ebec6e737c105fa0ef43412de4e0a8997feb9 (diff) | |
download | podman-bb4d269087d11623e15d1aa3c8cb197f29a601d1.tar.gz podman-bb4d269087d11623e15d1aa3c8cb197f29a601d1.tar.bz2 podman-bb4d269087d11623e15d1aa3c8cb197f29a601d1.zip |
Specifying --ipc=host --pid=host is broken
For some reason we were overwriting memory when handling both
--pid=host and --ipc=host. Simplified the code to handle this
correctly, and add test to make sure it does not happen again.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r-- | cmd/podman/common/create_opts.go | 2 | ||||
-rw-r--r-- | cmd/podman/common/specgen.go | 64 | ||||
-rw-r--r-- | cmd/podman/containers/create.go | 2 | ||||
-rw-r--r-- | test/e2e/run_ns_test.go | 31 |
4 files changed, 75 insertions, 24 deletions
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index 3802c37b0..f9e4d7ca5 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -10,7 +10,7 @@ type ContainerCLIOpts struct { BlkIOWeightDevice []string CapAdd []string CapDrop []string - CGroupsNS string + CgroupNS string CGroupsMode string CGroupParent string CIDFile string diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 07c88efea..0b6897d3a 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -186,6 +186,46 @@ func getMemoryLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts) (*specs.Linu return memory, nil } +func setNamespaces(s *specgen.SpecGenerator, c *ContainerCLIOpts) error { + var err error + + if c.PID != "" { + s.PidNS, err = specgen.ParseNamespace(c.PID) + if err != nil { + return err + } + } + if c.IPC != "" { + s.IpcNS, err = specgen.ParseNamespace(c.IPC) + if err != nil { + return err + } + } + if c.UTS != "" { + s.UtsNS, err = specgen.ParseNamespace(c.UTS) + if err != nil { + return err + } + } + if c.CgroupNS != "" { + s.CgroupNS, err = specgen.ParseNamespace(c.CgroupNS) + if err != nil { + return err + } + } + // userns must be treated differently + if c.UserNS != "" { + s.UserNS, err = specgen.ParseUserNamespace(c.UserNS) + if err != nil { + return err + } + } + if c.Net != nil { + s.NetNS = c.Net.Network + } + return nil +} + func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string) error { var ( err error @@ -252,28 +292,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string } s.Expose = expose - for k, v := range map[string]*specgen.Namespace{ - c.IPC: &s.IpcNS, - c.PID: &s.PidNS, - c.UTS: &s.UtsNS, - c.CGroupsNS: &s.CgroupNS, - } { - if k != "" { - *v, err = specgen.ParseNamespace(k) - if err != nil { - return err - } - } - } - // userns must be treated differently - if c.UserNS != "" { - s.UserNS, err = specgen.ParseUserNamespace(c.UserNS) - if err != nil { - return err - } - } - if c.Net != nil { - s.NetNS = c.Net.Network + if err := setNamespaces(s, c); err != nil { + return err } if sig := c.StopSignal; len(sig) > 0 { diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index dcbc52b56..dd77dc9d7 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -195,7 +195,7 @@ func createInit(c *cobra.Command) error { cliVals.IPC = c.Flag("ipc").Value.String() cliVals.UTS = c.Flag("uts").Value.String() cliVals.PID = c.Flag("pid").Value.String() - cliVals.CGroupsNS = c.Flag("cgroupns").Value.String() + cliVals.CgroupNS = c.Flag("cgroupns").Value.String() if c.Flag("entrypoint").Changed { val := c.Flag("entrypoint").Value.String() cliVals.Entrypoint = &val diff --git a/test/e2e/run_ns_test.go b/test/e2e/run_ns_test.go index 2b6da2888..5242e04d2 100644 --- a/test/e2e/run_ns_test.go +++ b/test/e2e/run_ns_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "os/exec" "strings" . "github.com/containers/podman/v2/test/utils" @@ -102,4 +103,34 @@ var _ = Describe("Podman run ns", func() { session.WaitWithDefaultTimeout() Expect(session).To(ExitWithError()) }) + + It("podman run --ipc=host --pid=host", func() { + cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") + res, err := cmd.Output() + Expect(err).To(BeNil()) + fields := strings.Split(string(res), " ") + hostPidNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + + cmd = exec.Command("ls", "-l", "/proc/self/ns/ipc") + res, err = cmd.Output() + Expect(err).To(BeNil()) + fields = strings.Split(string(res), " ") + hostIpcNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + + session := podmanTest.Podman([]string{"run", "--ipc=host", "--pid=host", ALPINE, "ls", "-l", "/proc/self/ns/pid"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + fields = strings.Split(session.OutputToString(), " ") + ctrPidNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + + session = podmanTest.Podman([]string{"run", "--ipc=host", "--pid=host", ALPINE, "ls", "-l", "/proc/self/ns/ipc"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + fields = strings.Split(session.OutputToString(), " ") + ctrIpcNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + + Expect(hostPidNS).To(Equal(ctrPidNS)) + Expect(hostIpcNS).To(Equal(ctrIpcNS)) + }) + }) |