Added option to share kernel namespaces in libpod and podman

A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon

1 files changed, 91 insertions, 4 deletions

diff --git a/libpod/pod.go b/libpod/pod.go
index 666480aa8..e70cd9138 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -7,6 +7,11 @@ import (
 	"github.com/pkg/errors"
 )
 
+var (
+	// KernelNamespaces is a list of the kernel namespaces a pod can share
+	KernelNamespaces = []string{"ipc", "net", "pid", "user", "mnt", "uts", "cgroup"}
+)
+
 // Pod represents a group of containers that are managed together.
 // Any operations on a Pod that access state must begin with a call to
 // updatePod().
@@ -18,6 +23,7 @@ import (
 // function takes the pod lock and accesses any part of state, it should
 // updatePod() immediately after locking.
 // ffjson: skip
+// Pod represents a group of containers that may share namespaces
 type Pod struct {
 	config *PodConfig
 	state  *podState
@@ -38,11 +44,23 @@ type PodConfig struct {
 	Labels map[string]string `json:"labels"`
 	// CgroupParent contains the pod's CGroup parent
 	CgroupParent string `json:"cgroupParent"`
+
 	// UsePodCgroup indicates whether the pod will create its own CGroup and
 	// join containers to it.
 	// If true, all containers joined to the pod will use the pod cgroup as
 	// their cgroup parent, and cannot set a different cgroup parent
-	UsePodCgroup bool `json:"usePodCgroup"`
+	UsePodCgroup bool `json:"sharesCgroup,omitempty"`
+
+	// The following UsePod{kernelNamespace} indicate whether the containers
+	// in the pod will inherit the namespace from the first container in the pod.
+	UsePodPID  bool `json:"sharesPid,omitempty"`
+	UsePodIPC  bool `json:"sharesIpc,omitempty"`
+	UsePodNet  bool `json:"sharesNet,omitempty"`
+	UsePodMNT  bool `json:"sharesMnt,omitempty"`
+	UsePodUser bool `json:"sharesUser,omitempty"`
+	UsePodUTS  bool `json:"sharesUts,omitempty"`
+
+	PauseContainer *PauseContainerConfig `json:"pauseConfig"`
 
 	// Time pod was created
 	CreatedTime time.Time `json:"created"`
@@ -52,6 +70,9 @@ type PodConfig struct {
 type podState struct {
 	// CgroupPath is the path to the pod's CGroup
 	CgroupPath string `json:"cgroupPath"`
+	// PauseContainerID is the container that holds pod namespace information
+	// Most often a pause container
+	PauseContainerID string
 }
 
 // PodInspect represents the data we want to display for
@@ -64,7 +85,8 @@ type PodInspect struct {
 
 // PodInspectState contains inspect data on the pod's state
 type PodInspectState struct {
-	CgroupPath string `json:"cgroupPath"`
+	CgroupPath       string `json:"cgroupPath"`
+	PauseContainerID string `json:"pauseContainerID"`
 }
 
 // PodContainerInfo keeps information on a container in a pod
@@ -73,6 +95,11 @@ type PodContainerInfo struct {
 	State string `json:"state"`
 }
 
+// PauseContainerConfig is the configuration for the pod's pause container
+type PauseContainerConfig struct {
+	HasPauseContainer bool `json:"makePauseContainer"`
+}
+
 // ID retrieves the pod's ID
 func (p *Pod) ID() string {
 	return p.config.ID
@@ -109,9 +136,45 @@ func (p *Pod) CgroupParent() string {
 	return p.config.CgroupParent
 }
 
-// UsePodCgroup returns whether containers in the pod will default to this pod's
+// SharesPID returns whether containers in pod
+// default to use PID namespace of first container in pod
+func (p *Pod) SharesPID() bool {
+	return p.config.UsePodPID
+}
+
+// SharesIPC returns whether containers in pod
+// default to use IPC namespace of first container in pod
+func (p *Pod) SharesIPC() bool {
+	return p.config.UsePodIPC
+}
+
+// SharesNet returns whether containers in pod
+// default to use network namespace of first container in pod
+func (p *Pod) SharesNet() bool {
+	return p.config.UsePodNet
+}
+
+// SharesMNT returns whether containers in pod
+// default to use PID namespace of first container in pod
+func (p *Pod) SharesMNT() bool {
+	return p.config.UsePodMNT
+}
+
+// SharesUser returns whether containers in pod
+// default to use user namespace of first container in pod
+func (p *Pod) SharesUser() bool {
+	return p.config.UsePodUser
+}
+
+// SharesUTS returns whether containers in pod
+// default to use UTS namespace of first container in pod
+func (p *Pod) SharesUTS() bool {
+	return p.config.UsePodUTS
+}
+
+// SharesCgroup returns whether containers in the pod will default to this pod's
 // cgroup instead of the default libpod parent
-func (p *Pod) UsePodCgroup() bool {
+func (p *Pod) SharesCgroup() bool {
 	return p.config.UsePodCgroup
 }
 
@@ -161,6 +224,30 @@ func (p *Pod) allContainers() ([]*Container, error) {
 	return p.runtime.state.PodContainers(p)
 }
 
+// HasPauseContainer returns whether the pod will create a pause container
+func (p *Pod) HasPauseContainer() bool {
+	return p.config.PauseContainer.HasPauseContainer
+}
+
+// SharesNamespaces checks if the pod has any kernel namespaces set as shared. A pause container will not be
+// created if no kernel namespaces are shared.
+func (p *Pod) SharesNamespaces() bool {
+	return p.SharesPID() || p.SharesIPC() || p.SharesNet() || p.SharesMNT() || p.SharesUser() || p.SharesUTS()
+}
+
+// PauseContainerID returns a the pause container ID for a pod.
+// If the container returned is "", the pod has no pause container.
+func (p *Pod) PauseContainerID() (string, error) {
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	if err := p.updatePod(); err != nil {
+		return "", err
+	}
+
+	return p.state.PauseContainerID, nil
+}
+
 // TODO add pod batching
 // Lock pod to avoid lock contention
 // Store and lock all containers (no RemoveContainer in batch guarantees cache will not become stale)