summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-04-16 12:30:01 -0400
committerGitHub <noreply@github.com>2022-04-16 12:30:01 -0400
commit8d3075e33267663bf2a251bfd60bd825397114c9 (patch)
tree17efa4577cd6a895d492a38767b32ee1cac2dc74 /pkg/specgen
parent25eeaec219ccc49dcb35e098afaed7d7987cbee1 (diff)
parent3987c529f473178c51feb69d5252c7d5c2a8f697 (diff)
downloadpodman-8d3075e33267663bf2a251bfd60bd825397114c9.tar.gz
podman-8d3075e33267663bf2a251bfd60bd825397114c9.tar.bz2
podman-8d3075e33267663bf2a251bfd60bd825397114c9.zip
Merge pull request #13583 from rhatdan/ipc
Add support for ipc namespace modes "none, private, sharable"
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/container.go7
-rw-r--r--pkg/specgen/generate/namespaces.go11
-rw-r--r--pkg/specgen/generate/security.go2
3 files changed, 16 insertions, 4 deletions
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index b38b0e695..f7ea2edfa 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -428,9 +428,12 @@ func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, contaierID s
case "cgroup":
specg.CgroupNS = specgen.Namespace{NSMode: specgen.Default} //default
case "ipc":
- if conf.ShmDir == "/dev/shm" {
+ switch conf.ShmDir {
+ case "/dev/shm":
specg.IpcNS = specgen.Namespace{NSMode: specgen.Host}
- } else {
+ case "":
+ specg.IpcNS = specgen.Namespace{NSMode: specgen.None}
+ default:
specg.IpcNS = specgen.Namespace{NSMode: specgen.Default} //default
}
case "uts":
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 9ce45aaf0..05c2d1741 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -134,8 +134,17 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
if err != nil {
return nil, errors.Wrapf(err, "error looking up container to share ipc namespace with")
}
+ if ipcCtr.ConfigNoCopy().NoShmShare {
+ return nil, errors.Errorf("joining IPC of container %s is not allowed: non-shareable IPC (hint: use IpcMode:shareable for the donor container)", ipcCtr.ID())
+ }
toReturn = append(toReturn, libpod.WithIPCNSFrom(ipcCtr))
- toReturn = append(toReturn, libpod.WithShmDir(ipcCtr.ShmDir()))
+ if !ipcCtr.ConfigNoCopy().NoShm {
+ toReturn = append(toReturn, libpod.WithShmDir(ipcCtr.ShmDir()))
+ }
+ case specgen.None:
+ toReturn = append(toReturn, libpod.WithNoShm(true))
+ case specgen.Private:
+ toReturn = append(toReturn, libpod.WithNoShmShare(true))
}
// UTS
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 988c29832..ec52164ab 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -222,7 +222,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
for sysctlKey, sysctlVal := range defaultSysctls {
// Ignore mqueue sysctls if --ipc=host
if noUseIPC && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
- logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal)
+ logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to %q", sysctlKey, sysctlVal, s.IpcNS.NSMode)
continue
}