summaryrefslogtreecommitdiff
path: root/cmd/kpod/spec.go
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r--cmd/kpod/spec.go27
1 files changed, 27 insertions, 0 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index 581be5241..752827669 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -2,6 +2,7 @@ package main
import (
"encoding/json"
+ "fmt"
"io/ioutil"
"strings"
@@ -44,6 +45,28 @@ func blockAccessToKernelFilesystems(config *createConfig, g *generate.Generator)
}
}
+func addPidNS(config *createConfig, g *generate.Generator) error {
+ pidMode := config.pidMode
+ if pidMode.IsHost() {
+ return g.RemoveLinuxNamespace("pid")
+ }
+ if pidMode.IsContainer() {
+ ctr, err := config.runtime.LookupContainer(pidMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", pidMode.Container())
+ }
+ pid, err := ctr.PID()
+ if err != nil {
+ return errors.Wrapf(err, "Failed to get pid of container %q", pidMode.Container())
+ }
+ pidNsPath := fmt.Sprintf("/proc/%d/ns/pid", pid)
+ if err := g.AddOrReplaceLinuxNamespace(libpod.PIDNamespace, pidNsPath); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
func addRlimits(config *createConfig, g *generate.Generator) error {
var (
ul *units.Ulimit
@@ -182,6 +205,10 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
return nil, err
}
+ if err := addPidNS(config, &g); err != nil {
+ return nil, err
+ }
+
configSpec := g.Spec()
if config.seccompProfilePath != "" && config.seccompProfilePath != "unconfined" {
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-04 11:26:03 +0000