diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-04-23 19:32:08 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-23 19:32:08 +0200 |
commit | 802763c6042e1c9a812f4300c3c717630564c8bc (patch) | |
tree | 9118ada4b03b965f98141d773469660b7a227ed9 /pkg | |
parent | e5a3e46746a0db9fcd9b701693d557438420d1e4 (diff) | |
parent | 48530acbd9a622cf88dbbb10cbc8e91575c476e5 (diff) | |
download | podman-802763c6042e1c9a812f4300c3c717630564c8bc.tar.gz podman-802763c6042e1c9a812f4300c3c717630564c8bc.tar.bz2 podman-802763c6042e1c9a812f4300c3c717630564c8bc.zip |
Merge pull request #5933 from giuseppe/fix-namespaces
podman, v2: handle namespaces specified on the CLI
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/specgen/container_validate.go | 4 | ||||
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 3 | ||||
-rw-r--r-- | pkg/specgen/namespaces.go | 39 |
3 files changed, 42 insertions, 4 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index df9c77cbc..56c1a7ea9 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -54,7 +54,7 @@ func (s *SpecGenerator) Validate() error { } // shmsize conflicts with IPC namespace if s.ContainerStorageConfig.ShmSize != nil && !s.ContainerStorageConfig.IpcNS.IsPrivate() { - return errors.New("cannot set shmsize when creating an IPC namespace") + return errors.New("cannot set shmsize when running in the host IPC Namespace") } // @@ -129,7 +129,7 @@ func (s *SpecGenerator) Validate() error { if err := s.CgroupNS.validate(); err != nil { return err } - if err := s.UserNS.validate(); err != nil { + if err := validateUserNS(&s.UserNS); err != nil { return err } diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 4ec1e859c..2aaeb9513 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -58,8 +58,7 @@ func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod) case "uts": return specgen.ParseNamespace(cfg.Containers.UTSNS) case "user": - // TODO: This may not work for --userns=auto - return specgen.ParseNamespace(cfg.Containers.UserNS) + return specgen.ParseUserNamespace(cfg.Containers.UserNS) case "net": ns, _, err := specgen.ParseNetworkNamespace(cfg.Containers.NetNS) return ns, err diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index 4f35b31bf..fffbd6d9e 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -33,6 +33,11 @@ const ( // Slirp indicates that a slirp4netns network stack should // be used Slirp NamespaceMode = "slirp4netns" + // KeepId indicates a user namespace to keep the owner uid inside + // of the namespace itself + KeepID NamespaceMode = "keep-id" + // KeepId indicates to automatically create a user namespace + Auto NamespaceMode = "auto" ) // Namespace describes the namespace @@ -71,6 +76,16 @@ func (n *Namespace) IsPod() bool { func (n *Namespace) IsPrivate() bool { return n.NSMode == Private } +func validateUserNS(n *Namespace) error { + if n == nil { + return nil + } + switch n.NSMode { + case Auto, KeepID: + return nil + } + return n.validate() +} func validateNetNS(n *Namespace) error { if n == nil { @@ -158,6 +173,30 @@ func ParseNamespace(ns string) (Namespace, error) { return toReturn, nil } +// ParseUserNamespace parses a user namespace specification in string +// form. +func ParseUserNamespace(ns string) (Namespace, error) { + toReturn := Namespace{} + switch { + case ns == "auto": + toReturn.NSMode = Auto + return toReturn, nil + case strings.HasPrefix(ns, "auto:"): + split := strings.SplitN(ns, ":", 2) + if len(split) != 2 { + return toReturn, errors.Errorf("invalid setting for auto: mode") + } + toReturn.NSMode = KeepID + toReturn.Value = split[1] + return toReturn, nil + case ns == "keep-id": + toReturn.NSMode = KeepID + toReturn.NSMode = FromContainer + return toReturn, nil + } + return ParseNamespace(ns) +} + // ParseNetworkNamespace parses a network namespace specification in string // form. // Returns a namespace and (optionally) a list of CNI networks to join. |