From bfa470e4bc0690cb498c369b5a6412a1f758c4bc Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 13 Jan 2021 10:41:09 +0100 Subject: network: disallow CNI networks with user namespaces it solves a segfault when running as rootless a command like: $ podman run --uidmap 0:0:1 --net foo --rm fedora true panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c] goroutine 1 [running]: panic(0x5629bd3d39e0, 0x5629be0ab8e0) /usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85 runtime.panicmem(...) /usr/lib/golang/src/runtime/panic.go:212 runtime.sigpanic() /usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33 github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732 [.....] Signed-off-by: Giuseppe Scrivano --- test/e2e/run_networking_test.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'test') diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index b8e14530c..e4c5a41c5 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -639,6 +639,24 @@ var _ = Describe("Podman run networking", func() { Expect(create.ExitCode()).To(BeZero()) }) + It("podman rootless fails custom CNI network with --uidmap", func() { + SkipIfNotRootless("The configuration works with rootless") + + netName := stringid.GenerateNonCryptoID() + create := podmanTest.Podman([]string{"network", "create", netName}) + create.WaitWithDefaultTimeout() + Expect(create.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) + + run := podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "true"}) + run.WaitWithDefaultTimeout() + Expect(run.ExitCode()).To(Equal(125)) + + remove := podmanTest.Podman([]string{"network", "rm", netName}) + remove.WaitWithDefaultTimeout() + Expect(remove.ExitCode()).To(BeZero()) + }) + It("podman run with new:pod and static-ip", func() { SkipIfRootless("Rootless does not support --ip") netName := "podmantestnetwork2" -- cgit v1.2.3-54-g00ecf From ee684667a608d866d57c0dbf8d7734efa90bfb70 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 13 Jan 2021 14:12:48 +0100 Subject: test: use stringid.GenerateNonCryptoID() in more tests Signed-off-by: Giuseppe Scrivano --- test/e2e/run_networking_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index e4c5a41c5..cbaae7186 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -622,7 +622,7 @@ var _ = Describe("Podman run networking", func() { It("podman run in custom CNI network with --static-ip", func() { SkipIfRootless("Rootless mode does not support --ip") - netName := "podmantestnetwork" + netName := stringid.GenerateNonCryptoID() ipAddr := "10.25.30.128" create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName}) create.WaitWithDefaultTimeout() @@ -659,7 +659,7 @@ var _ = Describe("Podman run networking", func() { It("podman run with new:pod and static-ip", func() { SkipIfRootless("Rootless does not support --ip") - netName := "podmantestnetwork2" + netName := stringid.GenerateNonCryptoID() ipAddr := "10.25.40.128" podname := "testpod" create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName}) -- cgit v1.2.3-54-g00ecf