Specifying --ipc=host --pid=host is broken

For some reason we were overwriting memory when handling both --pid=host and --ipc=host. Simplified the code to handle this correctly, and add test to make sure it does not happen again. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-23 02:18:13 +08:00 · 2020-07-28 09:18:21 -04:00
parent 288ebec6e7
commit bb4d269087
4 changed files with 75 additions and 24 deletions
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@ -10,7 +10,7 @@ type ContainerCLIOpts struct {
 	BlkIOWeightDevice []string
 	CapAdd            []string
 	CapDrop           []string
-	CGroupsNS         string
+	CgroupNS          string
 	CGroupsMode       string
 	CGroupParent      string
 	CIDFile           string
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@ -186,6 +186,46 @@ func getMemoryLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts) (*specs.Linu
 	return memory, nil
 }

+func setNamespaces(s *specgen.SpecGenerator, c *ContainerCLIOpts) error {
+	var err error
+
+	if c.PID != "" {
+		s.PidNS, err = specgen.ParseNamespace(c.PID)
+		if err != nil {
+			return err
+		}
+	}
+	if c.IPC != "" {
+		s.IpcNS, err = specgen.ParseNamespace(c.IPC)
+		if err != nil {
+			return err
+		}
+	}
+	if c.UTS != "" {
+		s.UtsNS, err = specgen.ParseNamespace(c.UTS)
+		if err != nil {
+			return err
+		}
+	}
+	if c.CgroupNS != "" {
+		s.CgroupNS, err = specgen.ParseNamespace(c.CgroupNS)
+		if err != nil {
+			return err
+		}
+	}
+	// userns must be treated differently
+	if c.UserNS != "" {
+		s.UserNS, err = specgen.ParseUserNamespace(c.UserNS)
+		if err != nil {
+			return err
+		}
+	}
+	if c.Net != nil {
+		s.NetNS = c.Net.Network
+	}
+	return nil
+}
+
 func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string) error {
 	var (
 		err error
@ -252,28 +292,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	}
 	s.Expose = expose

-	for k, v := range map[string]*specgen.Namespace{
-		c.IPC:       &s.IpcNS,
-		c.PID:       &s.PidNS,
-		c.UTS:       &s.UtsNS,
-		c.CGroupsNS: &s.CgroupNS,
-	} {
-		if k != "" {
-			*v, err = specgen.ParseNamespace(k)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	// userns must be treated differently
-	if c.UserNS != "" {
-		s.UserNS, err = specgen.ParseUserNamespace(c.UserNS)
-		if err != nil {
-			return err
-		}
-	}
-	if c.Net != nil {
-		s.NetNS = c.Net.Network
+	if err := setNamespaces(s, c); err != nil {
+		return err
 	}

 	if sig := c.StopSignal; len(sig) > 0 {
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@ -195,7 +195,7 @@ func createInit(c *cobra.Command) error {
 	cliVals.IPC = c.Flag("ipc").Value.String()
 	cliVals.UTS = c.Flag("uts").Value.String()
 	cliVals.PID = c.Flag("pid").Value.String()
-	cliVals.CGroupsNS = c.Flag("cgroupns").Value.String()
+	cliVals.CgroupNS = c.Flag("cgroupns").Value.String()
 	if c.Flag("entrypoint").Changed {
 		val := c.Flag("entrypoint").Value.String()
 		cliVals.Entrypoint = &val
--- a/test/e2e/run_ns_test.go
+++ b/test/e2e/run_ns_test.go
@ -2,6 +2,7 @@ package integration

 import (
 	"os"
+	"os/exec"
 	"strings"

 	. "github.com/containers/podman/v2/test/utils"
@ -102,4 +103,34 @@ var _ = Describe("Podman run ns", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())
 	})
+
+	It("podman run --ipc=host --pid=host", func() {
+		cmd := exec.Command("ls", "-l", "/proc/self/ns/pid")
+		res, err := cmd.Output()
+		Expect(err).To(BeNil())
+		fields := strings.Split(string(res), " ")
+		hostPidNS := strings.TrimSuffix(fields[len(fields)-1], "\n")
+
+		cmd = exec.Command("ls", "-l", "/proc/self/ns/ipc")
+		res, err = cmd.Output()
+		Expect(err).To(BeNil())
+		fields = strings.Split(string(res), " ")
+		hostIpcNS := strings.TrimSuffix(fields[len(fields)-1], "\n")
+
+		session := podmanTest.Podman([]string{"run", "--ipc=host", "--pid=host", ALPINE, "ls", "-l", "/proc/self/ns/pid"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		fields = strings.Split(session.OutputToString(), " ")
+		ctrPidNS := strings.TrimSuffix(fields[len(fields)-1], "\n")
+
+		session = podmanTest.Podman([]string{"run", "--ipc=host", "--pid=host", ALPINE, "ls", "-l", "/proc/self/ns/ipc"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		fields = strings.Split(session.OutputToString(), " ")
+		ctrIpcNS := strings.TrimSuffix(fields[len(fields)-1], "\n")
+
+		Expect(hostPidNS).To(Equal(ctrPidNS))
+		Expect(hostIpcNS).To(Equal(ctrIpcNS))
+	})
+
 })