summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/oci_conmon_linux.go7
-rw-r--r--pkg/specgen/generate/kube/kube.go4
-rw-r--r--test/e2e/play_kube_test.go56
3 files changed, 66 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 1b1d4ad59..3da49b85f 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1016,7 +1016,12 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
}
}
- args := r.sharedConmonArgs(ctr, ctr.ID(), ctr.bundlePath(), ctr.config.PidFile, ctr.LogPath(), r.exitsDir, ociLog, ctr.LogDriver(), logTag)
+ pidfile := ctr.config.PidFile
+ if pidfile == "" {
+ pidfile = filepath.Join(ctr.state.RunDir, "pidfile")
+ }
+
+ args := r.sharedConmonArgs(ctr, ctr.ID(), ctr.bundlePath(), pidfile, ctr.LogPath(), r.exitsDir, ociLog, ctr.LogDriver(), logTag)
if ctr.config.Spec.Process.Terminal {
args = append(args, "-t")
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index ccce3edba..4e41061a5 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -23,6 +23,10 @@ func ToPodGen(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec)
p := specgen.NewPodSpecGenerator()
p.Name = podName
p.Labels = podYAML.ObjectMeta.Labels
+ // Kube pods must share {ipc, net, uts} by default
+ p.SharedNamespaces = append(p.SharedNamespaces, "ipc")
+ p.SharedNamespaces = append(p.SharedNamespaces, "net")
+ p.SharedNamespaces = append(p.SharedNamespaces, "uts")
// TODO we only configure Process namespace. We also need to account for Host{IPC,Network,PID}
// which is not currently possible with pod create
if podYAML.Spec.ShareProcessNamespace != nil && *podYAML.Spec.ShareProcessNamespace {
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 3908d4075..e0af27f7a 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -28,6 +28,44 @@ metadata:
spec:
hostname: unknown
`
+var sharedNamespacePodYaml = `
+apiVersion: v1
+kind: Pod
+metadata:
+ creationTimestamp: "2021-05-07T17:25:01Z"
+ labels:
+ app: testpod1
+ name: testpod1
+spec:
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ - name: HOSTNAME
+ value: label-pod
+ image: quay.io/libpod/alpine:latest
+ name: alpine
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities: {}
+ privileged: false
+ readOnlyRootFilesystem: false
+ seLinuxOptions: {}
+ workingDir: /
+ dnsConfig: {}
+ restartPolicy: Never
+ shareProcessNamespace: true
+status: {}
+`
var selinuxLabelPodYaml = `
apiVersion: v1
@@ -1004,6 +1042,24 @@ var _ = Describe("Podman play kube", func() {
Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0"))
})
+ It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
+ SkipIfRootless("Requires root priviledges for sharing few namespaces")
+ err := writeYaml(sharedNamespacePodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "testpod1", "--format", "'{{ .SharedNamespaces }}'"})
+ inspect.WaitWithDefaultTimeout()
+ sharednamespaces := inspect.OutputToString()
+ Expect(sharednamespaces).To(ContainSubstring("ipc"))
+ Expect(sharednamespaces).To(ContainSubstring("net"))
+ Expect(sharednamespaces).To(ContainSubstring("uts"))
+ Expect(sharednamespaces).To(ContainSubstring("pid"))
+ })
+
It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil())