Containers in a pod can only join namespaces in that pod

This solves some dependency problems in the state, and makes
sense from a design standpoint.

Containers not in a pod can still depend on the namespaces of
containers joined to a pod, which we might also want to change in
the future.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #184
Approved by: baude

1 files changed, 18 insertions, 1 deletions

diff --git a/libpod/sql_state_internal.go b/libpod/sql_state_internal.go
index 3fb1ac64f..0bbdccc9f 100644
--- a/libpod/sql_state_internal.go
+++ b/libpod/sql_state_internal.go
@@ -752,13 +752,16 @@ func (s *SQLState) addContainer(ctr *Container, pod *Pod) (err error) {
                     ?, ?, ?, ?, ?,
                     ?, ?, ?
                 );`
-		addRegistry = "INSERT INTO registry VALUES (?, ?);"
+		addRegistry   = "INSERT INTO registry VALUES (?, ?);"
+		checkCtrInPod = "SELECT 1 FROM containers WHERE Id=? AND Pod=?;"
 	)
 
 	if !s.valid {
 		return ErrDBClosed
 	}
 
+	depCtrs := ctr.Dependencies()
+
 	mounts, err := json.Marshal(ctr.config.Mounts)
 	if err != nil {
 		return errors.Wrapf(err, "error marshaling container %s mounts to JSON", ctr.ID())
@@ -830,6 +833,20 @@ func (s *SQLState) addContainer(ctr *Container, pod *Pod) (err error) {
 			pod.valid = false
 			return errors.Wrapf(ErrNoSuchPod, "pod %s does not exist in state, cannot add container to it", pod.ID())
 		}
+
+		// We also need to check if our dependencies are in the pod
+		for _, depID := range depCtrs {
+			row := tx.QueryRow(checkCtrInPod, depID, pod.ID())
+			var check int
+			err := row.Scan(&check)
+			if err != nil {
+				if err == sql.ErrNoRows {
+					return errors.Wrapf(ErrInvalidArg, "container %s depends on container %s but it is not in pod %s", ctr.ID(), depID, pod.ID())
+				}
+			} else if check != 1 {
+				return errors.Wrapf(ErrInternal, "check digit for checkCtrInPod query incorrect")
+			}
+		}
 	}
 
 	// Add container to registry