summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/namespaces.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate/namespaces.go')
-rw-r--r--pkg/specgen/generate/namespaces.go67
1 files changed, 20 insertions, 47 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index f41186ae4..80790dcc1 100644
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@@ -175,6 +175,11 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
if pod == nil || infraCtr == nil {
return nil, errNoInfra
}
+ // Inherit the user from the infra container if it is set and --user has not
+ // been set explicitly
+ if infraCtr.User() != "" && s.User == "" {
+ toReturn = append(toReturn, libpod.WithUser(infraCtr.User()))
+ }
toReturn = append(toReturn, libpod.WithUserNSFrom(infraCtr))
case specgen.FromContainer:
userCtr, err := rt.LookupContainer(s.UserNS.Value)
@@ -184,7 +189,10 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
toReturn = append(toReturn, libpod.WithUserNSFrom(userCtr))
}
- if s.IDMappings != nil {
+ // This wipes the UserNS settings that get set from the infra container
+ // when we are inheritting from the pod. So only apply this if the container
+ // is not being created in a pod.
+ if s.IDMappings != nil && pod == nil {
toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
}
if s.User != "" {
@@ -234,7 +242,7 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
}
toReturn = append(toReturn, libpod.WithNetNSFrom(netCtr))
case specgen.Slirp:
- portMappings, err := createPortMappings(ctx, s, imageData)
+ portMappings, expose, err := createPortMappings(ctx, s, imageData)
if err != nil {
return nil, err
}
@@ -242,15 +250,15 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
if s.NetNS.Value != "" {
val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
}
- toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil))
+ toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, val, nil))
case specgen.Private:
fallthrough
case specgen.Bridge:
- portMappings, err := createPortMappings(ctx, s, imageData)
+ portMappings, expose, err := createPortMappings(ctx, s, imageData)
if err != nil {
return nil, err
}
- toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, "bridge", s.CNINetworks))
+ toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, "bridge", s.CNINetworks))
}
if s.UseImageHosts {
@@ -379,46 +387,8 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
}
// User
- switch s.UserNS.NSMode {
- case specgen.Path:
- if _, err := os.Stat(s.UserNS.Value); err != nil {
- return errors.Wrap(err, "cannot find specified user namespace path")
- }
- if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), s.UserNS.Value); err != nil {
- return err
- }
- // runc complains if no mapping is specified, even if we join another ns. So provide a dummy mapping
- g.AddLinuxUIDMapping(uint32(0), uint32(0), uint32(1))
- g.AddLinuxGIDMapping(uint32(0), uint32(0), uint32(1))
- case specgen.Host:
- if err := g.RemoveLinuxNamespace(string(spec.UserNamespace)); err != nil {
- return err
- }
- case specgen.KeepID:
- var (
- err error
- uid, gid int
- )
- s.IDMappings, uid, gid, err = util.GetKeepIDMapping()
- if err != nil {
- return err
- }
- g.SetProcessUID(uint32(uid))
- g.SetProcessGID(uint32(gid))
- fallthrough
- case specgen.Private:
- if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
- return err
- }
- if s.IDMappings == nil || (len(s.IDMappings.UIDMap) == 0 && len(s.IDMappings.GIDMap) == 0) {
- return errors.Errorf("must provide at least one UID or GID mapping to configure a user namespace")
- }
- for _, uidmap := range s.IDMappings.UIDMap {
- g.AddLinuxUIDMapping(uint32(uidmap.HostID), uint32(uidmap.ContainerID), uint32(uidmap.Size))
- }
- for _, gidmap := range s.IDMappings.GIDMap {
- g.AddLinuxGIDMapping(uint32(gidmap.HostID), uint32(gidmap.ContainerID), uint32(gidmap.Size))
- }
+ if _, err := specgen.SetupUserNS(s.IDMappings, s.UserNS, g); err != nil {
+ return err
}
// Cgroup
@@ -474,7 +444,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
// GetNamespaceOptions transforms a slice of kernel namespaces
// into a slice of pod create options. Currently, not all
// kernel namespaces are supported, and they will be returned in an error
-func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
+func GetNamespaceOptions(ns []string, netnsIsHost bool) ([]libpod.PodCreateOption, error) {
var options []libpod.PodCreateOption
var erroredOptions []libpod.PodCreateOption
if ns == nil {
@@ -486,7 +456,10 @@ func GetNamespaceOptions(ns []string) ([]libpod.PodCreateOption, error) {
case "cgroup":
options = append(options, libpod.WithPodCgroups())
case "net":
- options = append(options, libpod.WithPodNet())
+ // share the netns setting with other containers in the pod only when it is not set to host
+ if !netnsIsHost {
+ options = append(options, libpod.WithPodNet())
+ }
case "mnt":
return erroredOptions, errors.Errorf("Mount sharing functionality not supported on pod level")
case "pid":