Added option to share kernel namespaces in libpod and podman

A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon

1 files changed, 31 insertions, 18 deletions

diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index 3592c2fee..eff15be76 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -15,7 +15,7 @@ import (
 )
 
 // NewPod makes a new, empty pod
-func (r *Runtime) NewPod(options ...PodCreateOption) (*Pod, error) {
+func (r *Runtime) NewPod(ctx context.Context, options ...PodCreateOption) (*Pod, error) {
 	r.lock.Lock()
 	defer r.lock.Unlock()
 
@@ -87,38 +87,42 @@ func (r *Runtime) NewPod(options ...PodCreateOption) (*Pod, error) {
 	if pod.config.UsePodCgroup {
 		logrus.Debugf("Got pod cgroup as %s", pod.state.CgroupPath)
 	}
+	if pod.HasPauseContainer() != pod.SharesNamespaces() {
+		return nil, errors.Errorf("Pods must have a pause container to share namespaces")
+	}
 
 	if err := r.state.AddPod(pod); err != nil {
 		return nil, errors.Wrapf(err, "error adding pod to state")
 	}
 
+	if pod.HasPauseContainer() {
+		ctr, err := r.createPauseContainer(ctx, pod)
+		if err != nil {
+			// Tear down pod, as it is assumed a the pod will contain
+			// a pause container, and it does not.
+			if err2 := r.removePod(ctx, pod, true, true); err2 != nil {
+				logrus.Errorf("Error removing pod after pause container creation failure: %v", err2)
+			}
+			return nil, errors.Wrapf(err, "error adding Pause Container")
+		}
+		pod.state.PauseContainerID = ctr.ID()
+		if err := pod.save(); err != nil {
+			return nil, err
+		}
+	}
+
 	return pod, nil
 }
 
 func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool) error {
-	r.lock.Lock()
-	defer r.lock.Unlock()
-
-	if !r.valid {
-		return ErrRuntimeStopped
-	}
-
 	if !p.valid {
 		if ok, _ := r.state.HasPod(p.ID()); !ok {
-			// Pod was either already removed, or never existed to
-			// begin with
+			// Pod probably already removed
+			// Or was never in the runtime to begin with
 			return nil
 		}
 	}
 
-	p.lock.Lock()
-	defer p.lock.Unlock()
-
-	// Force a pod update
-	if err := p.updatePod(); err != nil {
-		return err
-	}
-
 	ctrs, err := r.state.PodContainers(p)
 	if err != nil {
 		return err
@@ -126,6 +130,15 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool)
 
 	numCtrs := len(ctrs)
 
+	// If the only container in the pod is the pause container, remove the pod and container unconditionally.
+	if err := p.updatePod(); err != nil {
+		return err
+	}
+	pauseCtrID := p.state.PauseContainerID
+	if numCtrs == 1 && ctrs[0].ID() == pauseCtrID {
+		removeCtrs = true
+		force = true
+	}
 	if !removeCtrs && numCtrs > 0 {
 		return errors.Wrapf(ErrCtrExists, "pod %s contains containers and cannot be removed", p.ID())
 	}