summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/kpod/create.go15
-rw-r--r--cmd/kpod/spec.go27
-rw-r--r--test/kpod_run_ns.bats28
3 files changed, 66 insertions, 4 deletions
diff --git a/cmd/kpod/create.go b/cmd/kpod/create.go
index 73959ed02..d609d011e 100644
--- a/cmd/kpod/create.go
+++ b/cmd/kpod/create.go
@@ -6,6 +6,7 @@ import (
"strconv"
"strings"
+ "github.com/docker/docker/api/types/container"
"github.com/docker/go-units"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -61,6 +62,7 @@ type createResourceConfig struct {
}
type createConfig struct {
+ runtime *libpod.Runtime
args []string
capAdd []string // cap-add
capDrop []string // cap-drop
@@ -90,8 +92,8 @@ type createConfig struct {
network string //network
networkAlias []string //network-alias
nsIPC string // ipc
- nsNet string //net
- nsPID string //pid
+ nsNET string //net
+ pidMode container.PidMode //pid
nsUser string
pod string //pod
privileged bool //privileged
@@ -329,8 +331,13 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er
if !c.Bool("detach") && !tty {
tty = true
}
+ pidMode := container.PidMode(c.String("pid"))
+ if !pidMode.Valid() {
+ return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
+ }
config := &createConfig{
+ runtime: runtime,
capAdd: c.StringSlice("cap-add"),
capDrop: c.StringSlice("cap-drop"),
cgroupParent: c.String("cgroup-parent"),
@@ -357,8 +364,8 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er
network: c.String("network"),
networkAlias: c.StringSlice("network-alias"),
nsIPC: c.String("ipc"),
- nsNet: c.String("net"),
- nsPID: c.String("pid"),
+ nsNET: c.String("net"),
+ pidMode: pidMode,
pod: c.String("pod"),
privileged: c.Bool("privileged"),
publish: c.StringSlice("publish"),
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index 581be5241..752827669 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -2,6 +2,7 @@ package main
import (
"encoding/json"
+ "fmt"
"io/ioutil"
"strings"
@@ -44,6 +45,28 @@ func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator)
}
}
+func addPidNS(config *createConfig, g *generate.Generator) error {
+ pidMode := config.pidMode
+ if pidMode.IsHost() {
+ return g.RemoveLinuxNamespace("pid")
+ }
+ if pidMode.IsContainer() {
+ ctr, err := config.runtime.LookupContainer(pidMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", pidMode.Container())
+ }
+ pid, err := ctr.PID()
+ if err != nil {
+ return errors.Wrapf(err, "Failed to get pid of container %q", pidMode.Container())
+ }
+ pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", pid)
+ if err := g.AddOrReplaceLinuxNamespace(libpod.PIDNamespace, pidNsPath); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
func addRlimits(config *createConfig, g *generate.Generator) error {
var (
ul *units.Ulimit
@@ -182,6 +205,10 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
return nil, err
}
+ if err := addPidNS(config, &g); err != nil {
+ return nil, err
+ }
+
configSpec := g.Spec()
if config.seccompProfilePath != "" && config.seccompProfilePath != "unconfined" {
diff --git a/test/kpod_run_ns.bats b/test/kpod_run_ns.bats
new file mode 100644
index 000000000..eb0af6076
--- /dev/null
+++ b/test/kpod_run_ns.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+ copy_images
+}
+
+@test "run pidns test" {
+
+ ${KPOD_BINARY} ${KPOD_OPTIONS} pull ${ALPINE}
+
+ run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run ${ALPINE} sh -c 'echo \$\$'"
+ echo $output
+ [ "$status" -eq 0 ]
+ pid=$(echo $output | tr -d '\r')
+ [ $pid = "1" ]
+
+ run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run --pid=host ${ALPINE} sh -c 'echo \$\$'"
+ echo $output
+ pid=$(echo $output | tr -d '\r')
+ [ "$status" -eq 0 ]
+ [ $pid != "1" ]
+
+ run ${KPOD_BINARY} ${KPOD_OPTIONS} run --pid=badpid ${ALPINE} sh -c 'echo $$'
+ echo $output
+ [ "$status" -ne 0 ]
+}