Enforce namespace checks on container add

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
author: Matthew Heon <matthew.heon@gmail.com> 2018-07-19 11:24:42 -0400
committer: Matthew Heon <matthew.heon@gmail.com> 2018-07-24 16:12:31 -0400
commit: 7b30659629deaddafc7fc925d869324ae754c216 (patch)
tree: 21d3a23fe7ff811e67603eecbaae37f56b0cf1b4 /libpod/boltdb_state_internal.go
parent: 572fd75d226550ac1576bf38812e5417a9eddeee (diff)
download: podman-7b30659629deaddafc7fc925d869324ae754c216.tar.gz
podman-7b30659629deaddafc7fc925d869324ae754c216.tar.bz2
podman-7b30659629deaddafc7fc925d869324ae754c216.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/libpod/boltdb_state_internal.go b/libpod/boltdb_state_internal.go
index 81c9f49f5..b03c11531 100644
--- a/libpod/boltdb_state_internal.go
+++ b/libpod/boltdb_state_internal.go
@@ -266,6 +266,11 @@ func (s *BoltState) getPodFromDB(id []byte, pod *Pod, podBkt *bolt.Bucket) error
 // Add a container to the DB
 // If pod is not nil, the container is added to the pod as well
 func (s *BoltState) addContainer(ctr *Container, pod *Pod) error {
+	if s.namespace != "" && s.namespace != ctr.config.Namespace {
+		return errors.Wrapf(ErrNSMismatch, "cannot add container %s as it is in namespace %q and we are in namespace %q",
+			ctr.ID(), s.namespace, ctr.config.Namespace)
+	}
+
 	// JSON container structs to insert into DB
 	// TODO use a higher-performance struct encoding than JSON
 	configJSON, err := json.Marshal(ctr.config)
author	Matthew Heon <matthew.heon@gmail.com>	2018-07-19 11:24:42 -0400
committer	Matthew Heon <matthew.heon@gmail.com>	2018-07-24 16:12:31 -0400
commit	7b30659629deaddafc7fc925d869324ae754c216 (patch)
tree	21d3a23fe7ff811e67603eecbaae37f56b0cf1b4 /libpod/boltdb_state_internal.go
parent	572fd75d226550ac1576bf38812e5417a9eddeee (diff)
download	podman-7b30659629deaddafc7fc925d869324ae754c216.tar.gz podman-7b30659629deaddafc7fc925d869324ae754c216.tar.bz2 podman-7b30659629deaddafc7fc925d869324ae754c216.zip