Allow chained network namespace containers

The code currently assumes that the container we delegate network
namespace to will never further delegate to another container, so
when looking up things like /etc/hosts and /etc/resolv.conf we
won't pull the correct files from the chained dependency. The
changes to resolve this are relatively simple - just need to keep
looking until we find a container without NetNsCtr set.

Fixes #4626

Signed-off-by: Matthew Heon <matthew.heon@pm.me>

1 files changed, 18 insertions, 3 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 586de0776..1b0570998 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -1016,9 +1016,24 @@ func (c *Container) makeBindMounts() error {
 			// We want /etc/resolv.conf and /etc/hosts from the
 			// other container. Unless we're not creating both of
 			// them.
-			depCtr, err := c.runtime.state.Container(c.config.NetNsCtr)
-			if err != nil {
-				return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
+			var (
+				depCtr  *Container
+				nextCtr string
+			)
+
+			// I don't like infinite loops, but I don't think there's
+			// a serious risk of looping dependencies - too many
+			// protections against that elsewhere.
+			nextCtr = c.config.NetNsCtr
+			for {
+				depCtr, err = c.runtime.state.Container(nextCtr)
+				if err != nil {
+					return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
+				}
+				nextCtr = depCtr.config.NetNsCtr
+				if nextCtr == "" {
+					break
+				}
 			}
 
 			// We need that container's bind mounts