diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-04-20 18:59:19 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-05-04 17:15:55 +0000 |
commit | 73078fabcfd2420c47e41843da71dd993f9a0a3e (patch) | |
tree | 1c98d8ae433c5f148c7af5184777d2348b5b2540 /cmd/podman/spec.go | |
parent | b51d7379987581da82902027fe91cdf298047bc0 (diff) | |
download | podman-73078fabcfd2420c47e41843da71dd993f9a0a3e.tar.gz podman-73078fabcfd2420c47e41843da71dd993f9a0a3e.tar.bz2 podman-73078fabcfd2420c47e41843da71dd993f9a0a3e.zip |
networking, userNS: configure the network namespace after create
so that the OCI runtime creates the network namespace from the correct
userNS.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
Diffstat (limited to 'cmd/podman/spec.go')
-rw-r--r-- | cmd/podman/spec.go | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index 15dab6c4d..747d76359 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -167,6 +167,7 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { cgroupPerm := "ro" g := generate.New() g.HostSpecific = true + addCgroup := true if config.Privileged { cgroupPerm = "rw" g.RemoveMount("/sys") @@ -177,14 +178,27 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { Options: []string{"nosuid", "noexec", "nodev", "rw"}, } g.AddMount(sysMnt) + } else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() { + addCgroup = false + g.RemoveMount("/sys") + sysMnt := spec.Mount{ + Destination: "/sys", + Type: "bind", + Source: "/sys", + Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"}, + } + g.AddMount(sysMnt) } - cgroupMnt := spec.Mount{ - Destination: "/sys/fs/cgroup", - Type: "cgroup", - Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, + + if addCgroup { + cgroupMnt := spec.Mount{ + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, + } + g.AddMount(cgroupMnt) } - g.AddMount(cgroupMnt) g.SetProcessCwd(config.WorkDir) g.SetProcessArgs(config.Command) g.SetProcessTerminal(config.Tty) @@ -697,8 +711,9 @@ func (c *createConfig) GetContainerCreateOptions() ([]libpod.CtrCreateOption, er } options = append(options, libpod.WithNetNSFrom(connectedCtr)) } else if !c.NetMode.IsHost() && !c.NetMode.IsNone() { - options = append(options, libpod.WithNetNS([]ocicni.PortMapping{})) - options = append(options, libpod.WithNetNS(portBindings)) + postConfigureNetNS := (len(c.IDMappings.UIDMap) > 0 || len(c.IDMappings.GIDMap) > 0) && !c.UsernsMode.IsHost() + options = append(options, libpod.WithNetNS([]ocicni.PortMapping{}, postConfigureNetNS)) + options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS)) } if c.PidMode.IsContainer() { |