diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-01-13 14:28:20 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-13 14:28:20 -0500 |
| commit | bbff9c8710870bbadbaf2e69e827db30c109bbb9 (patch) | |
| tree | 40b9825e3487b3a855278683103a5581e124e245 | |
| parent | b2b14235aa774b4bd4139a8ee97ced0117bbe628 (diff) | |
| parent | ee684667a608d866d57c0dbf8d7734efa90bfb70 (diff) | |
| download | podman-bbff9c8710870bbadbaf2e69e827db30c109bbb9.tar.gz podman-bbff9c8710870bbadbaf2e69e827db30c109bbb9.tar.bz2 podman-bbff9c8710870bbadbaf2e69e827db30c109bbb9.zip | |
Merge pull request #8960 from giuseppe/bridge-no-post-config
network: disallow CNI networks with user namespaces
| -rw-r--r-- | pkg/specgen/generate/namespaces.go | 3 | ||||
| -rw-r--r-- | test/e2e/run_networking_test.go | 22 |
2 files changed, 23 insertions, 2 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 3cd5a3c9c..f66ad6101 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -236,6 +236,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. case specgen.Private: fallthrough case specgen.Bridge: + if postConfigureNetNS && rootless.IsRootless() { + return nil, errors.New("CNI networks not supported with user namespaces") + } portMappings, err := createPortMappings(ctx, s, img) if err != nil { return nil, err diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index b8e14530c..cbaae7186 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -622,7 +622,7 @@ var _ = Describe("Podman run networking", func() { It("podman run in custom CNI network with --static-ip", func() { SkipIfRootless("Rootless mode does not support --ip") - netName := "podmantestnetwork" + netName := stringid.GenerateNonCryptoID() ipAddr := "10.25.30.128" create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName}) create.WaitWithDefaultTimeout() @@ -639,9 +639,27 @@ var _ = Describe("Podman run networking", func() { Expect(create.ExitCode()).To(BeZero()) }) + It("podman rootless fails custom CNI network with --uidmap", func() { + SkipIfNotRootless("The configuration works with rootless") + + netName := stringid.GenerateNonCryptoID() + create := podmanTest.Podman([]string{"network", "create", netName}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + + run := podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "true"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(Equal(125)) + + remove := podmanTest.Podman([]string{"network", "rm", netName}) + remove.WaitWithDefaultTimeout() + Expect(remove.ExitCode()).To(BeZero()) + }) + It("podman run with new:pod and static-ip", func() { SkipIfRootless("Rootless does not support --ip") - netName := "podmantestnetwork2" + netName := stringid.GenerateNonCryptoID() ipAddr := "10.25.40.128" podname := "testpod" create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName}) |