inspect with network=none show SandboxKey netns path

We do not use any special netns path for the netns=none case, however callers that inspect that may still wish to join the netns path directly without extra work to figure out /proc/$pid/ns/net. Fixes #16716 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-07-02 16:57:24 +08:00 · 2023-07-31 14:07:35 +02:00
parent b6a52f1f8b
commit ada71889c7
4 changed files with 22 additions and 7 deletions
--- a/libpod/networking_common.go
+++ b/libpod/networking_common.go
@ -249,7 +249,7 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 	}

 	if c.state.NetNS == "" {
-		if networkNSPath := c.joinedNetworkNSPath(); networkNSPath != "" {
+		if networkNSPath, set := c.joinedNetworkNSPath(); networkNSPath != "" {
 			if result, err := c.inspectJoinedNetworkNS(networkNSPath); err == nil {
 				// fallback to dummy configuration
 				settings.InspectBasicNetworkConfig = resultToBasicNetworkConfig(result)
@ -258,6 +258,12 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 				logrus.Errorf("Inspecting network namespace: %s of container %s: %v", networkNSPath, c.ID(), err)
 			}
 			return settings, nil
+		} else if set {
+			// network none case, if running allow user to join netns via sandbox key
+			// https://github.com/containers/podman/issues/16716
+			if c.state.PID > 0 {
+				settings.SandboxKey = fmt.Sprintf("/proc/%d/ns/net", c.state.PID)
+			}
 		}
 		// We can't do more if the network is down.
 		// We still want to make dummy configurations for each network
--- a/libpod/networking_freebsd.go
+++ b/libpod/networking_freebsd.go
@ -254,8 +254,8 @@ func getContainerNetIO(ctr *Container) (*LinkStatistics64, error) {
 	return &LinkStatistics64{}, nil
 }

-func (c *Container) joinedNetworkNSPath() string {
-	return c.state.NetNS
+func (c *Container) joinedNetworkNSPath() (string, bool) {
+	return c.state.NetNS, false
 }

 func (c *Container) inspectJoinedNetworkNS(networkns string) (q types.StatusBlock, retErr error) {
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@ -694,13 +694,14 @@ func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) {
 	return netStats, err
 }

-func (c *Container) joinedNetworkNSPath() string {
+// joinedNetworkNSPath returns netns path and bool if netns was set
+func (c *Container) joinedNetworkNSPath() (string, bool) {
 	for _, namespace := range c.config.Spec.Linux.Namespaces {
 		if namespace.Type == specs.NetworkNamespace {
-			return namespace.Path
+			return namespace.Path, true
 		}
 	}
-	return ""
+	return "", false
 }

 func (c *Container) inspectJoinedNetworkNS(networkns string) (q types.StatusBlock, retErr error) {
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@ -834,10 +834,18 @@ EOF
        run_podman create --network=$network $IMAGE
        cid=${output}
        run_podman inspect --format '{{ .NetworkSettings.Networks }}' $cid
-        is "$output" "map\[$network:.*" "NeworkSettincs should contain one network named $network"
+        is "$output" "map\[$network:.*" "NeworkSettings should contain one network named $network"
+        run_podman inspect --format '{{ .NetworkSettings.SandboxKey }}' $cid
+        assert "$output" == "" "SandboxKey for network=$network should be empty when not running"
        run_podman rm $cid
    done

+    run_podman run -d --network=none $IMAGE top
+    cid=${output}
+    run_podman inspect --format '{{ .NetworkSettings.SandboxKey }}' $cid
+    assert "$output" =~ "^/proc/[0-9]+/ns/net\$" "SandboxKey for network=none when running"
+    run_podman rm -f -t0 $cid
+
    # Check with ns:/PATH
    if ! is_rootless; then
        netns=netns$(random_string)