diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2021-01-13 10:41:09 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2021-01-13 17:04:51 +0100 |
commit | bfa470e4bc0690cb498c369b5a6412a1f758c4bc (patch) | |
tree | b7f6f0b4355e7aa0cad63805c590849bb255ae4b /pkg | |
parent | 183f443a585a3659d807ee413e5b708d37a72924 (diff) | |
download | podman-bfa470e4bc0690cb498c369b5a6412a1f758c4bc.tar.gz podman-bfa470e4bc0690cb498c369b5a6412a1f758c4bc.tar.bz2 podman-bfa470e4bc0690cb498c369b5a6412a1f758c4bc.zip |
network: disallow CNI networks with user namespaces
it solves a segfault when running as rootless a command like:
$ podman run --uidmap 0:0:1 --net foo --rm fedora true
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c]
goroutine 1 [running]:
panic(0x5629bd3d39e0, 0x5629be0ab8e0)
/usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85
runtime.panicmem(...)
/usr/lib/golang/src/runtime/panic.go:212
runtime.sigpanic()
/usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33
github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0)
/builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c
github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0)
/builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732
[.....]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index 3cd5a3c9c..f66ad6101 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -236,6 +236,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. case specgen.Private: fallthrough case specgen.Bridge: + if postConfigureNetNS && rootless.IsRootless() { + return nil, errors.New("CNI networks not supported with user namespaces") + } portMappings, err := createPortMappings(ctx, s, img) if err != nil { return nil, err |