opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-20 17:13:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8949 from giuseppe/sysfs-for-rootless

Browse Source 
specgen: improve heuristic for /sys bind mount
This commit is contained in:
OpenShift Merge Robot
2021-01-15 13:38:30 -05:00
committed by GitHub
parent 0400dc0a00 2c328a4ac1
commit 53ecda2981
2 changed files with 29 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
pkg/specgen/generate/oci.go
View File

@ -138,10 +138,23 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image
return finalCommand, nil return finalCommand, nil
} }
// canMountSys is a best-effort heuristic to detect whether mounting a new sysfs is permitted in the container
func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool {
if s.NetNS.IsHost() && (isRootless || isNewUserns) {
return false
}
if isNewUserns {
switch s.NetNS.NSMode {
case specgen.Slirp, specgen.Private, specgen.NoNetwork, specgen.Bridge:
return true
default:
return false
}
}
return true
}
func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) { func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) {
var (
inUserNS bool
)
cgroupPerm := "ro" cgroupPerm := "ro"
g, err := generate.New("linux") g, err := generate.New("linux")
if err != nil { if err != nil {
@ -151,23 +164,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
g.RemoveMount("/dev/shm") g.RemoveMount("/dev/shm")
g.HostSpecific = true g.HostSpecific = true
addCgroup := true addCgroup := true
canMountSys := true
isRootless := rootless.IsRootless() isRootless := rootless.IsRootless()
if isRootless { isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate()
inUserNS = true
} canMountSys := canMountSys(isRootless, isNewUserns, s)
if !s.UserNS.IsHost() {
if s.UserNS.IsContainer() || s.UserNS.IsPath() {
inUserNS = true
}
if s.UserNS.IsPrivate() {
inUserNS = true
}
}
if inUserNS && s.NetNS.NSMode != specgen.NoNetwork {
canMountSys = false
}
if s.Privileged && canMountSys { if s.Privileged && canMountSys {
cgroupPerm = "rw" cgroupPerm = "rw"
@ -232,6 +233,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
g.AddMount(devPts) g.AddMount(devPts)
} }
inUserNS := isRootless || isNewUserns
if inUserNS && s.IpcNS.IsHost() { if inUserNS && s.IpcNS.IsHost() {
g.RemoveMount("/dev/mqueue") g.RemoveMount("/dev/mqueue")
devMqueue := spec.Mount{ devMqueue := spec.Mount{

8
test/e2e/run_ns_test.go
View File

@ -105,6 +105,14 @@ var _ = Describe("Podman run ns", func() {
Expect(session).To(ExitWithError()) Expect(session).To(ExitWithError())
}) })
It("podman run mounts fresh cgroup", func() {
session := podmanTest.Podman([]string{"run", fedoraMinimal, "grep", "cgroup", "/proc/self/mountinfo"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
output := session.OutputToString()
Expect(output).ToNot(ContainSubstring(".."))
})
It("podman run --ipc=host --pid=host", func() { It("podman run --ipc=host --pid=host", func() {
SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1")
cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") cmd := exec.Command("ls", "-l", "/proc/self/ns/pid")