network: support ns: prefix to join existing namespace

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
2025-05-30 23:17:20 +08:00 · 2018-07-23 12:37:29 +02:00
parent 6f65490e27
commit 41c7e43b4d
5 changed files with 23 additions and 5 deletions
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@ -391,6 +391,7 @@ Set the Network mode for the container
                'container:<name|id>': reuse another container's network stack
                'host': use the podman host network stack.  Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
                '<network-name>|<network-id>': connect to a user-defined network
+                'ns:<path>' path to a network namespace to join

 **--network-alias**=[]

--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@ -405,6 +405,7 @@ Set the Network mode for the container:
 - `container:<name|id>`: reuse another container's network stack
 - `host`: use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
 - `<network-name>|<network-id>`: connect to a user-defined network
+- `ns:<path>` path to a network namespace to join

 **--network-alias**=[]

--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@ -370,17 +370,15 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib
 		}
 	}

-	if rootless.IsRootless() {
-		if !c.NetMode.IsHost() && !c.NetMode.IsNone() {
-			options = append(options, libpod.WithNetNS(portBindings, true, networks))
-		}
+	if IsNS(string(c.NetMode)) {
+		// pass
 	} else if c.NetMode.IsContainer() {
 		connectedCtr, err := c.Runtime.LookupContainer(c.NetMode.ConnectedContainer())
 		if err != nil {
 			return nil, errors.Wrapf(err, "container %q not found", c.NetMode.ConnectedContainer())
 		}
 		options = append(options, libpod.WithNetNSFrom(connectedCtr))
-	} else if !c.NetMode.IsHost() && !c.NetMode.IsNone() {
+	} else if !rootless.IsRootless() && !c.NetMode.IsHost() && !c.NetMode.IsNone() {
 		postConfigureNetNS := (len(c.IDMappings.UIDMap) > 0 || len(c.IDMappings.GIDMap) > 0) && !c.UsernsMode.IsHost()
 		options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS, networks))
 	}
--- a/pkg/spec/parse.go
+++ b/pkg/spec/parse.go
@ -18,6 +18,21 @@ func (w *weightDevice) String() string {
 	return fmt.Sprintf("%s:%d", w.path, w.weight)
 }

+// IsNS returns if the specified string has a ns: prefix
+func IsNS(s string) bool {
+	parts := strings.SplitN(s, ":", 2)
+	return len(parts) > 1 && parts[0] == "ns"
+}
+
+// NS is the path to the namespace to join.
+func NS(s string) string {
+	parts := strings.SplitN(s, ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
 // validateweightDevice validates that the specified string has a valid device-weight format
 // for blkio-weight-device flag
 func validateweightDevice(val string) (*weightDevice, error) {
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -346,6 +346,9 @@ func addNetNS(config *CreateConfig, g *generate.Generator) error {
 	} else if netMode.IsContainer() {
 		logrus.Debug("Using container netmode")
 		return nil
+	} else if IsNS(string(netMode)) {
+		logrus.Debug("Using ns netmode")
+		return g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, NS(string(netMode)))
 	} else if netMode.IsUserDefined() {
 		logrus.Debug("Using user defined netmode")
 		return nil