Add constraint that dependencies must be in the same ns

Dependency containers must be in the same namespace, to ensure
there are never problems resolving a dependency.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/libpod/boltdb_state_linux.go b/libpod/boltdb_state_linux.go
index ceea955bd..7c0e08fb3 100644
--- a/libpod/boltdb_state_linux.go
+++ b/libpod/boltdb_state_linux.go
@@ -3,6 +3,7 @@
 package libpod
 
 import (
+	"bytes"
 	"encoding/json"
 	"path/filepath"
 
@@ -19,6 +20,13 @@ func (s *BoltState) getContainerFromDB(id []byte, ctr *Container, ctrsBkt *bolt.
 		return errors.Wrapf(ErrNoSuchCtr, "container %s not found in DB", string(id))
 	}
 
+	if s.namespaceBytes != nil {
+		ctrNamespaceBytes := ctrBkt.Get(namespaceKey)
+		if !bytes.Equal(s.namespaceBytes, ctrNamespaceBytes) {
+			return errors.Wrapf(ErrNSMismatch, "cannot retrieve container %s as it is part of namespace %q and we are in namespace %q", string(id), string(ctrNamespaceBytes), s.namespace)
+		}
+	}
+
 	configBytes := ctrBkt.Get(configKey)
 	if configBytes == nil {
 		return errors.Wrapf(ErrInternal, "container %s missing config key in DB", string(id))