aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-05-09 23:06:51 +0200
committerGitHub <noreply@github.com>2020-05-09 23:06:51 +0200
commitdc7d6f4818f4b986cfd15208d53f6765d8fad986 (patch)
treefe6e50f86caace33f971446d2356dffecaea5c4c
parent3ff96383f306cecfeed75986078144ad757e3d70 (diff)
parent8238b7e70688e637d58305287a19e4080f619587 (diff)
downloadpodman-dc7d6f4818f4b986cfd15208d53f6765d8fad986.tar.gz
podman-dc7d6f4818f4b986cfd15208d53f6765d8fad986.tar.bz2
podman-dc7d6f4818f4b986cfd15208d53f6765d8fad986.zip
Merge pull request #6152 from mheon/fix_pod_join_cgroupns
Fix bug where pods would unintentionally share cgroupns
-rw-r--r--libpod/container_inspect.go34
-rw-r--r--libpod/define/container_inspect.go7
-rw-r--r--libpod/options.go16
-rw-r--r--libpod/pod.go15
-rw-r--r--libpod/pod_api.go20
5 files changed, 82 insertions, 10 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index ae28dde94..b26dcddf6 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -580,7 +580,10 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
networkMode := ""
switch {
case c.config.CreateNetNS:
- networkMode = "default"
+ // We actually store the network
+ // mode for Slirp and Bridge, so
+ // we can just use that
+ networkMode = string(c.config.NetMode)
case c.config.NetNsCtr != "":
networkMode = fmt.Sprintf("container:%s", c.config.NetNsCtr)
default:
@@ -594,7 +597,10 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
if ns.Path != "" {
networkMode = fmt.Sprintf("ns:%s", ns.Path)
} else {
- networkMode = "private"
+ // We're making a network ns, but not
+ // configuring with Slirp or CNI. That
+ // means it's --net=none
+ networkMode = "none"
}
break
}
@@ -698,6 +704,30 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
}
hostConfig.IpcMode = ipcMode
+ // Cgroup namespace mode
+ cgroupMode := ""
+ if c.config.CgroupNsCtr != "" {
+ cgroupMode = fmt.Sprintf("container:%s", c.config.CgroupNsCtr)
+ } else if ctrSpec.Linux != nil {
+ // Locate the spec's cgroup namespace
+ // If there is none, it's cgroup=host.
+ // If there is one and it has a path, it's "ns:".
+ // If there is no path, it's private.
+ for _, ns := range ctrSpec.Linux.Namespaces {
+ if ns.Type == spec.CgroupNamespace {
+ if ns.Path != "" {
+ cgroupMode = fmt.Sprintf("ns:%s", ns.Path)
+ } else {
+ cgroupMode = "private"
+ }
+ }
+ }
+ if cgroupMode == "" {
+ cgroupMode = "host"
+ }
+ }
+ hostConfig.CgroupMode = cgroupMode
+
// CGroup parent
// Need to check if it's the default, and not print if so.
defaultCgroupParent := ""
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index e6a19e5b4..27ada8706 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -228,6 +228,13 @@ type InspectContainerHostConfig struct {
// include a Mounts field in inspect.
// Format: <src>:<destination>[:<comma-separated options>]
Binds []string `json:"Binds"`
+ // CgroupMode is the configuration of the container's cgroup namespace.
+ // Populated as follows:
+ // private - a cgroup namespace has been created
+ // host - No cgroup namespace created
+ // container:<id> - Using another container's cgroup namespace
+ // ns:<path> - A path to a cgroup namespace has been specified
+ CgroupMode string `json:"CgroupMode"`
// ContainerIDFile is a file created during container creation to hold
// the ID of the created container.
// This is not handled within libpod and is stored in an annotation.
diff --git a/libpod/options.go b/libpod/options.go
index 33b423bce..05241baf3 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1692,6 +1692,22 @@ func WithPodUTS() PodCreateOption {
}
}
+// WithPodCgroup tells containers in this pod to use the cgroup namespace
+// created for this pod.
+// Containers in a pod will inherit the kernel namespaces from the first
+// container added.
+func WithPodCgroup() PodCreateOption {
+ return func(pod *Pod) error {
+ if pod.valid {
+ return define.ErrPodFinalized
+ }
+
+ pod.config.UsePodCgroupNS = true
+
+ return nil
+ }
+}
+
// WithInfraContainer tells the pod to create a pause container
func WithInfraContainer() PodCreateOption {
return func(pod *Pod) error {
diff --git a/libpod/pod.go b/libpod/pod.go
index 8eb06ae2f..34ceef5ef 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -51,12 +51,13 @@ type PodConfig struct {
// The following UsePod{kernelNamespace} indicate whether the containers
// in the pod will inherit the namespace from the first container in the pod.
- UsePodPID bool `json:"sharesPid,omitempty"`
- UsePodIPC bool `json:"sharesIpc,omitempty"`
- UsePodNet bool `json:"sharesNet,omitempty"`
- UsePodMount bool `json:"sharesMnt,omitempty"`
- UsePodUser bool `json:"sharesUser,omitempty"`
- UsePodUTS bool `json:"sharesUts,omitempty"`
+ UsePodPID bool `json:"sharesPid,omitempty"`
+ UsePodIPC bool `json:"sharesIpc,omitempty"`
+ UsePodNet bool `json:"sharesNet,omitempty"`
+ UsePodMount bool `json:"sharesMnt,omitempty"`
+ UsePodUser bool `json:"sharesUser,omitempty"`
+ UsePodUTS bool `json:"sharesUts,omitempty"`
+ UsePodCgroupNS bool `json:"sharesCgroupNS,omitempty"`
InfraContainer *InfraContainerConfig `json:"infraConfig"`
@@ -167,7 +168,7 @@ func (p *Pod) SharesUTS() bool {
// SharesCgroup returns whether containers in the pod will default to this pod's
// cgroup instead of the default libpod parent
func (p *Pod) SharesCgroup() bool {
- return p.config.UsePodCgroup
+ return p.config.UsePodCgroupNS
}
// CgroupPath returns the path to the pod's CGroup
diff --git a/libpod/pod_api.go b/libpod/pod_api.go
index 45aa5cb8d..0be9f2573 100644
--- a/libpod/pod_api.go
+++ b/libpod/pod_api.go
@@ -466,6 +466,24 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
if err != nil {
return nil, err
}
+
+ namespaces := map[string]bool{
+ "pid": p.config.UsePodPID,
+ "ipc": p.config.UsePodIPC,
+ "net": p.config.UsePodNet,
+ "mount": p.config.UsePodMount,
+ "user": p.config.UsePodUser,
+ "uts": p.config.UsePodUTS,
+ "cgroup": p.config.UsePodCgroupNS,
+ }
+
+ sharesNS := []string{}
+ for nsStr, include := range namespaces {
+ if include {
+ sharesNS = append(sharesNS, nsStr)
+ }
+ }
+
inspectData := define.InspectPodData{
ID: p.ID(),
Name: p.Name(),
@@ -480,7 +498,7 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
CreateInfra: false,
InfraContainerID: p.state.InfraContainerID,
InfraConfig: nil,
- SharedNamespaces: nil,
+ SharedNamespaces: sharesNS,
NumContainers: uint(len(containers)),
Containers: ctrs,
}