diff options
-rw-r--r-- | cmd/kpod/create.go | 15 | ||||
-rw-r--r-- | cmd/kpod/spec.go | 27 | ||||
-rw-r--r-- | test/kpod_run_ns.bats | 28 |
3 files changed, 66 insertions, 4 deletions
diff --git a/cmd/kpod/create.go b/cmd/kpod/create.go index 73959ed02..d609d011e 100644 --- a/cmd/kpod/create.go +++ b/cmd/kpod/create.go @@ -6,6 +6,7 @@ import ( "strconv" "strings" + "github.com/docker/docker/api/types/container" "github.com/docker/go-units" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -61,6 +62,7 @@ type createResourceConfig struct { } type createConfig struct { + runtime *libpod.Runtime args []string capAdd []string // cap-add capDrop []string // cap-drop @@ -90,8 +92,8 @@ type createConfig struct { network string //network networkAlias []string //network-alias nsIPC string // ipc - nsNet string //net - nsPID string //pid + nsNET string //net + pidMode container.PidMode //pid nsUser string pod string //pod privileged bool //privileged @@ -329,8 +331,13 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er if !c.Bool("detach") && !tty { tty = true } + pidMode := container.PidMode(c.String("pid")) + if !pidMode.Valid() { + return nil, errors.Errorf("--pid %q is not valid", c.String("pid")) + } config := &createConfig{ + runtime: runtime, capAdd: c.StringSlice("cap-add"), capDrop: c.StringSlice("cap-drop"), cgroupParent: c.String("cgroup-parent"), @@ -357,8 +364,8 @@ func parseCreateOpts(c *cli.Context, runtime *libpod.Runtime) (*createConfig, er network: c.String("network"), networkAlias: c.StringSlice("network-alias"), nsIPC: c.String("ipc"), - nsNet: c.String("net"), - nsPID: c.String("pid"), + nsNET: c.String("net"), + pidMode: pidMode, pod: c.String("pod"), privileged: c.Bool("privileged"), publish: c.StringSlice("publish"), diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index 581be5241..752827669 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -2,6 +2,7 @@ package main import ( "encoding/json" + "fmt" "io/ioutil" "strings" @@ -44,6 +45,28 @@ func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator) } } +func addPidNS(config *createConfig, g *generate.Generator) error { + pidMode := config.pidMode + if pidMode.IsHost() { + return g.RemoveLinuxNamespace("pid") + } + if pidMode.IsContainer() { + ctr, err := config.runtime.LookupContainer(pidMode.Container()) + if err != nil { + return errors.Wrapf(err, "container %q not found", pidMode.Container()) + } + pid, err := ctr.PID() + if err != nil { + return errors.Wrapf(err, "Failed to get pid of container %q", pidMode.Container()) + } + pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", pid) + if err := g.AddOrReplaceLinuxNamespace(libpod.PIDNamespace, pidNsPath); err != nil { + return err + } + } + return nil +} + func addRlimits(config *createConfig, g *generate.Generator) error { var ( ul *units.Ulimit @@ -182,6 +205,10 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { return nil, err } + if err := addPidNS(config, &g); err != nil { + return nil, err + } + configSpec := g.Spec() if config.seccompProfilePath != "" && config.seccompProfilePath != "unconfined" { diff --git a/test/kpod_run_ns.bats b/test/kpod_run_ns.bats new file mode 100644 index 000000000..eb0af6076 --- /dev/null +++ b/test/kpod_run_ns.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + copy_images +} + +@test "run pidns test" { + + ${KPOD_BINARY} ${KPOD_OPTIONS} pull ${ALPINE} + + run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run ${ALPINE} sh -c 'echo \$\$'" + echo $output + [ "$status" -eq 0 ] + pid=$(echo $output | tr -d '\r') + [ $pid = "1" ] + + run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run --pid=host ${ALPINE} sh -c 'echo \$\$'" + echo $output + pid=$(echo $output | tr -d '\r') + [ "$status" -eq 0 ] + [ $pid != "1" ] + + run ${KPOD_BINARY} ${KPOD_OPTIONS} run --pid=badpid ${ALPINE} sh -c 'echo $$' + echo $output + [ "$status" -ne 0 ] +} |