diff options
| author | Matthew Heon <mheon@redhat.com> | 2020-05-08 17:41:50 -0400 |
|---|---|---|
| committer | Matthew Heon <mheon@redhat.com> | 2020-05-08 18:00:42 -0400 |
| commit | c57c560d9014b38040df8529f09208ba7743f794 (patch) | |
| tree | 94a9db7cd4402b0778071ff3fc3daa0487dbc0b8 /libpod/options.go | |
| parent | 7f8b31f5fb59d8b66a26dcd822863fbc18687905 (diff) | |
| download | podman-c57c560d9014b38040df8529f09208ba7743f794.tar.gz podman-c57c560d9014b38040df8529f09208ba7743f794.tar.bz2 podman-c57c560d9014b38040df8529f09208ba7743f794.zip | |
Fix bug where pods would unintentionally share cgroupns
This one was a massive pain to track down.
The original symptom was an error message from rootless Podman
trying to make a container in a pod. I unfortunately did not look
at the error message closely enough to realize that the namespace
in question was the cgroup namespace (the reproducer pod was
explicitly set to only share the network namespace), else this
would have been quite a bit shorter.
I spent considerable effort trying to track down differences
between the inspect output of the two containers, and when that
failed I was forced to resort to diffing the OCI specs. That
finally proved fruitful, and I was able to determine what should
have been obvious all along: the container was joining the cgroup
namespace of the infra container when it really ought not to
have.
From there, I discovered a variable collision in pod config. The
UsePodCgroup variable means "create a parent cgroup for the pod
and join containers in the pod to it". Unfortunately, it is very
similar to UsePodUTS, UsePodNet, etc, which mean "the pod shares
this namespace", so an accessor was accidentally added for it
that indicated the pod shared the cgroup namespace when it really
did not. Once I realized that, it was a quick fix - add a bool to
the pod's configuration to indicate whether the cgroup ns was
shared (distinct from UsePodCgroup) and use that for the
accessor.
Also included are fixes for `podman inspect` and
`podman pod inspect` that fix them to actually display the state
of the cgroup namespace (for container inspect) and what
namespaces are shared (for pod inspect). Either of those would
have made tracking this down considerably quicker.
Fixes #6149
Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'libpod/options.go')
| -rw-r--r-- | libpod/options.go | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/libpod/options.go b/libpod/options.go index 33b423bce..05241baf3 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1692,6 +1692,22 @@ func WithPodUTS() PodCreateOption { } } +// WithPodCgroup tells containers in this pod to use the cgroup namespace +// created for this pod. +// Containers in a pod will inherit the kernel namespaces from the first +// container added. +func WithPodCgroup() PodCreateOption { + return func(pod *Pod) error { + if pod.valid { + return define.ErrPodFinalized + } + + pod.config.UsePodCgroupNS = true + + return nil + } +} + // WithInfraContainer tells the pod to create a pause container func WithInfraContainer() PodCreateOption { return func(pod *Pod) error { |