diff options
| -rw-r--r-- | libpod/oci_conmon_linux.go | 7 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube.go | 4 | ||||
| -rw-r--r-- | test/e2e/play_kube_test.go | 56 |
3 files changed, 66 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 1b1d4ad59..3da49b85f 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1016,7 +1016,12 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co } } - args := r.sharedConmonArgs(ctr, ctr.ID(), ctr.bundlePath(), ctr.config.PidFile, ctr.LogPath(), r.exitsDir, ociLog, ctr.LogDriver(), logTag) + pidfile := ctr.config.PidFile + if pidfile == "" { + pidfile = filepath.Join(ctr.state.RunDir, "pidfile") + } + + args := r.sharedConmonArgs(ctr, ctr.ID(), ctr.bundlePath(), pidfile, ctr.LogPath(), r.exitsDir, ociLog, ctr.LogDriver(), logTag) if ctr.config.Spec.Process.Terminal { args = append(args, "-t") diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index ccce3edba..4e41061a5 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -23,6 +23,10 @@ func ToPodGen(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec) p := specgen.NewPodSpecGenerator() p.Name = podName p.Labels = podYAML.ObjectMeta.Labels + // Kube pods must share {ipc, net, uts} by default + p.SharedNamespaces = append(p.SharedNamespaces, "ipc") + p.SharedNamespaces = append(p.SharedNamespaces, "net") + p.SharedNamespaces = append(p.SharedNamespaces, "uts") // TODO we only configure Process namespace. We also need to account for Host{IPC,Network,PID} // which is not currently possible with pod create if podYAML.Spec.ShareProcessNamespace != nil && *podYAML.Spec.ShareProcessNamespace { diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 3908d4075..e0af27f7a 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -28,6 +28,44 @@ metadata: spec: hostname: unknown ` +var sharedNamespacePodYaml = ` +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: "2021-05-07T17:25:01Z" + labels: + app: testpod1 + name: testpod1 +spec: + containers: + - command: + - top + - -d + - "1.5" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + - name: HOSTNAME + value: label-pod + image: quay.io/libpod/alpine:latest + name: alpine + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: false + readOnlyRootFilesystem: false + seLinuxOptions: {} + workingDir: / + dnsConfig: {} + restartPolicy: Never + shareProcessNamespace: true +status: {} +` var selinuxLabelPodYaml = ` apiVersion: v1 @@ -1004,6 +1042,24 @@ var _ = Describe("Podman play kube", func() { Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0")) }) + It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() { + SkipIfRootless("Requires root priviledges for sharing few namespaces") + err := writeYaml(sharedNamespacePodYaml, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", "testpod1", "--format", "'{{ .SharedNamespaces }}'"}) + inspect.WaitWithDefaultTimeout() + sharednamespaces := inspect.OutputToString() + Expect(sharednamespaces).To(ContainSubstring("ipc")) + Expect(sharednamespaces).To(ContainSubstring("net")) + Expect(sharednamespaces).To(ContainSubstring("uts")) + Expect(sharednamespaces).To(ContainSubstring("pid")) + }) + It("podman play kube fail with nonexistent authfile", func() { err := generateKubeYaml("pod", getPod(), kubeYaml) Expect(err).To(BeNil()) |