diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-16 16:40:41 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-16 16:42:11 +0200 |
commit | 7c3428de26f12c6c31985310d785200f7c212d09 (patch) | |
tree | 049b9b79528bd8991c44cdf15308a9028f455a78 /libpod/networking_linux.go | |
parent | a1970e1915fa99c1893bccd3a71a11d2bff77602 (diff) | |
download | podman-7c3428de26f12c6c31985310d785200f7c212d09.tar.gz podman-7c3428de26f12c6c31985310d785200f7c212d09.tar.bz2 podman-7c3428de26f12c6c31985310d785200f7c212d09.zip |
networking: use --enable-sandbox if available
if slirp4netns supports sandboxing, enable it.
It automatically creates a new mount namespace where slirp4netns will
run and have limited access to the host resources.
It needs slirp4netns 0.4.1.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'libpod/networking_linux.go')
-rw-r--r-- | libpod/networking_linux.go | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index fd14b2f73..67dd0150b 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -127,13 +127,13 @@ type slirp4netnsCmd struct { Args slirp4netnsCmdArg `json:"arguments"` } -func checkSlirpFlags(path string) (bool, bool, error) { +func checkSlirpFlags(path string) (bool, bool, bool, error) { cmd := exec.Command(path, "--help") out, err := cmd.CombinedOutput() if err != nil { - return false, false, err + return false, false, false, err } - return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil + return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil } // Configure the network namespace for a rootless container @@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if havePortMapping { cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID)) } - dhp, mtu, err := checkSlirpFlags(path) + dhp, mtu, sandbox, err := checkSlirpFlags(path) if err != nil { return errors.Wrapf(err, "error checking slirp4netns binary %s", path) } @@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if mtu { cmdArgs = append(cmdArgs, "--mtu", "65520") } + if sandbox { + cmdArgs = append(cmdArgs, "--enable-sandbox") + } cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0") cmd := exec.Command(path, cmdArgs...) |