podman: allow to specify the PID namespace to join

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1145
Approved by: rhatdan

cmd/podman/create.go

@@ -369,7 +369,7 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
 	tty := c.Bool("tty")
 
 	pidMode := container.PidMode(c.String("pid"))
-	if !pidMode.Valid() {
+	if !cc.IsNS(string(pidMode)) && !pidMode.Valid() {
 		return nil, errors.Errorf("--pid %q is not valid", c.String("pid"))
 	}
 

docs/podman-create.1.md

@@ -411,6 +411,7 @@ Set the PID mode for the container
 Default is to create a private PID namespace for the container
                 'container:<name|id>': join another container's PID namespace
                 'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
+                 'ns': join the specified PID namespace
 
 **--pids-limit**=""
 

docs/podman-run.1.md

@@ -427,6 +427,7 @@ Default is to create a private PID namespace for the container
 
 - `container:<name|id>`: join another container's PID namespace
 - `host`: use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
+- `ns`: join the specified PID namespace
 
 **--pids-limit**=""
 

pkg/spec/spec.go

@@ -316,6 +316,9 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
 
 func addPidNS(config *CreateConfig, g *generate.Generator) error {
 	pidMode := config.PidMode
+	if IsNS(string(pidMode)) {
+		return g.AddOrReplaceLinuxNamespace(string(spec.PIDNamespace), NS(string(pidMode)))
+	}
 	if pidMode.IsHost() {
 		return g.RemoveLinuxNamespace(string(spec.PIDNamespace))
 	}