opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-29 06:57:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

pods: do not to join a userns if there is not any

Browse Source 
do not attempt to join the user namespace if the pod is running in the
host user namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2019-07-25 14:55:05 +02:00
parent 7c9095ea1d
commit ba5741e398
2 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/podman/shared/create.go
View File

@ -282,13 +282,26 @@ func configurePod(c *GenericCLIResults, runtime *libpod.Runtime, namespaces map[
if err != nil { if err != nil {
return namespaces, err return namespaces, err
} }
hasUserns := false
if podInfraID != "" {
podCtr, err := runtime.GetContainer(podInfraID)
if err != nil {
return namespaces, err
}
mappings, err := podCtr.IDMappings()
if err != nil {
return namespaces, err
}
hasUserns = len(mappings.UIDMap) > 0
}
if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) { if (namespaces["pid"] == cc.Pod) || (!c.IsSet("pid") && pod.SharesPID()) {
namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID) namespaces["pid"] = fmt.Sprintf("container:%s", podInfraID)
} }
if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) { if (namespaces["net"] == cc.Pod) || (!c.IsSet("net") && !c.IsSet("network") && pod.SharesNet()) {
namespaces["net"] = fmt.Sprintf("container:%s", podInfraID) namespaces["net"] = fmt.Sprintf("container:%s", podInfraID)
} }
if (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) { if hasUserns && (namespaces["user"] == cc.Pod) || (!c.IsSet("user") && pod.SharesUser()) {
namespaces["user"] = fmt.Sprintf("container:%s", podInfraID) namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
} }
if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) { if (namespaces["ipc"] == cc.Pod) || (!c.IsSet("ipc") && pod.SharesIPC()) {

22
pkg/adapter/pods.go
View File

@ -492,14 +492,28 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
if err != nil { if err != nil {
return nil, err return nil, err
} }
hasUserns := false
if podInfraID != "" {
podCtr, err := r.GetContainer(podInfraID)
if err != nil {
return nil, err
}
mappings, err := podCtr.IDMappings()
if err != nil {
return nil, err
}
hasUserns = len(mappings.UIDMap) > 0
}
namespaces := map[string]string{ namespaces := map[string]string{
// Disabled during code review per mheon // Disabled during code review per mheon
//"pid": fmt.Sprintf("container:%s", podInfraID), //"pid": fmt.Sprintf("container:%s", podInfraID),
"net": fmt.Sprintf("container:%s", podInfraID), "net": fmt.Sprintf("container:%s", podInfraID),
"user": fmt.Sprintf("container:%s", podInfraID), "ipc": fmt.Sprintf("container:%s", podInfraID),
"ipc": fmt.Sprintf("container:%s", podInfraID), "uts": fmt.Sprintf("container:%s", podInfraID),
"uts": fmt.Sprintf("container:%s", podInfraID), }
if hasUserns {
namespaces["user"] = fmt.Sprintf("container:%s", podInfraID)
} }
if !c.Quiet { if !c.Quiet {
writer = os.Stderr writer = os.Stderr