Added option to share kernel namespaces in libpod and podman

A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon

1 files changed, 56 insertions, 1 deletions

diff --git a/cmd/podman/pod_create.go b/cmd/podman/pod_create.go
index 568ace6e7..6975c9386 100644
--- a/cmd/podman/pod_create.go
+++ b/cmd/podman/pod_create.go
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/containers/libpod/cmd/podman/libpodruntime"
 	"github.com/containers/libpod/libpod"
@@ -11,6 +12,11 @@ import (
 	"github.com/urfave/cli"
 )
 
+var (
+	// CRI-O default kernel namespaces
+	DefaultKernelNamespaces = "ipc,net,uts"
+)
+
 var podCreateDescription = "Creates a new empty pod. The pod ID is then" +
 	" printed to stdout. You can then start it at any time with the" +
 	" podman pod start <pod_id> command. The pod will be created with the" +
@@ -33,10 +39,27 @@ var podCreateFlags = []cli.Flag{
 		Name:  "name, n",
 		Usage: "Assign a name to the pod",
 	},
+	cli.BoolTFlag{
+		Name:  "pause",
+		Usage: "Create a pause container associated with the pod to share namespaces with",
+	},
+	cli.StringFlag{
+		Name:  "pause-image",
+		Usage: "The image of the pause container to associate with the pod",
+	},
+	cli.StringFlag{
+		Name:  "pause-command",
+		Usage: "The command to run on the pause container when the pod is started",
+	},
 	cli.StringFlag{
 		Name:  "pod-id-file",
 		Usage: "Write the pod ID to the file",
 	},
+	cli.StringFlag{
+		Name:  "share",
+		Usage: "A comma deliminated list of kernel namespaces the pod will share",
+		Value: DefaultKernelNamespaces,
+	},
 }
 
 var podCreateCommand = cli.Command{
@@ -71,6 +94,9 @@ func podCreateCmd(c *cli.Context) error {
 			return errors.Wrapf(err, "unable to write pod id file %s", c.String("pod-id-file"))
 		}
 	}
+	if !c.BoolT("pause") && c.IsSet("share") && c.String("share") != "none" && c.String("share") != "" {
+		return errors.Errorf("You cannot share kernel namespaces on the pod level without a pause container")
+	}
 
 	if c.IsSet("cgroup-parent") {
 		options = append(options, libpod.WithPodCgroupParent(c.String("cgroup-parent")))
@@ -88,10 +114,39 @@ func podCreateCmd(c *cli.Context) error {
 		options = append(options, libpod.WithPodName(c.String("name")))
 	}
 
+	if c.BoolT("pause") {
+		options = append(options, libpod.WithPauseContainer())
+		for _, toShare := range strings.Split(c.String("share"), ",") {
+			switch toShare {
+			case "net":
+				options = append(options, libpod.WithPodNet())
+			case "mnt":
+				//options = append(options, libpod.WithPodMNT())
+				logrus.Debug("Mount Namespace sharing functionality not supported")
+			case "pid":
+				options = append(options, libpod.WithPodPID())
+			case "user":
+				// Note: more set up needs to be done before this doesn't error out a create.
+				logrus.Debug("User Namespace sharing functionality not supported")
+			case "ipc":
+				options = append(options, libpod.WithPodIPC())
+			case "uts":
+				options = append(options, libpod.WithPodUTS())
+			case "":
+			case "none":
+				continue
+			default:
+				return errors.Errorf("Invalid kernel namespace to share: %s. Options are: %s, or none", toShare, strings.Join(libpod.KernelNamespaces, ","))
+			}
+		}
+	}
+
 	// always have containers use pod cgroups
+	// User Opt out is not yet supported
 	options = append(options, libpod.WithPodCgroups())
 
-	pod, err := runtime.NewPod(options...)
+	ctx := getContext()
+	pod, err := runtime.NewPod(ctx, options...)
 	if err != nil {
 		return err
 	}