Merge pull request #6152 from mheon/fix_pod_join_cgroupns

Fix bug where pods would unintentionally share cgroupns
2025-12-19 07:09:39 +08:00 · 2020-05-09 23:06:51 +02:00
parent 3ff96383f3 8238b7e706
commit dc7d6f4818
5 changed files with 82 additions and 10 deletions
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -580,7 +580,10 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
 	networkMode := ""
 	switch {
 	case c.config.CreateNetNS:
-		networkMode = "default"
+		// We actually store the network
+		// mode for Slirp and Bridge, so
+		// we can just use that
+		networkMode = string(c.config.NetMode)
 	case c.config.NetNsCtr != "":
 		networkMode = fmt.Sprintf("container:%s", c.config.NetNsCtr)
 	default:
@@ -594,7 +597,10 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
 				if ns.Path != "" {
 					networkMode = fmt.Sprintf("ns:%s", ns.Path)
 				} else {
-					networkMode = "private"
+					// We're making a network ns,  but not
+					// configuring with Slirp or CNI. That
+					// means it's --net=none
+					networkMode = "none"
 				}
 				break
 			}
@@ -698,6 +704,30 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
 	}
 	hostConfig.IpcMode = ipcMode

+	// Cgroup namespace mode
+	cgroupMode := ""
+	if c.config.CgroupNsCtr != "" {
+		cgroupMode = fmt.Sprintf("container:%s", c.config.CgroupNsCtr)
+	} else if ctrSpec.Linux != nil {
+		// Locate the spec's cgroup namespace
+		// If there is none, it's cgroup=host.
+		// If there is one and it has a path, it's "ns:".
+		// If there is no path, it's private.
+		for _, ns := range ctrSpec.Linux.Namespaces {
+			if ns.Type == spec.CgroupNamespace {
+				if ns.Path != "" {
+					cgroupMode = fmt.Sprintf("ns:%s", ns.Path)
+				} else {
+					cgroupMode = "private"
+				}
+			}
+		}
+		if cgroupMode == "" {
+			cgroupMode = "host"
+		}
+	}
+	hostConfig.CgroupMode = cgroupMode
+
 	// CGroup parent
 	// Need to check if it's the default, and not print if so.
 	defaultCgroupParent := ""
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -228,6 +228,13 @@ type InspectContainerHostConfig struct {
 	// include a Mounts field in inspect.
 	// Format: <src>:<destination>[:<comma-separated options>]
 	Binds []string `json:"Binds"`
+	// CgroupMode is the configuration of the container's cgroup namespace.
+	// Populated as follows:
+	// private - a cgroup namespace has been created
+	// host - No cgroup namespace created
+	// container:<id> - Using another container's cgroup namespace
+	// ns:<path> - A path to a cgroup namespace has been specified
+	CgroupMode string `json:"CgroupMode"`
 	// ContainerIDFile is a file created during container creation to hold
 	// the ID of the created container.
 	// This is not handled within libpod and is stored in an annotation.
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1692,6 +1692,22 @@ func WithPodUTS() PodCreateOption {
 	}
 }

+// WithPodCgroup tells containers in this pod to use the cgroup namespace
+// created for this pod.
+// Containers in a pod will inherit the kernel namespaces from the first
+// container added.
+func WithPodCgroup() PodCreateOption {
+	return func(pod *Pod) error {
+		if pod.valid {
+			return define.ErrPodFinalized
+		}
+
+		pod.config.UsePodCgroupNS = true
+
+		return nil
+	}
+}
+
 // WithInfraContainer tells the pod to create a pause container
 func WithInfraContainer() PodCreateOption {
 	return func(pod *Pod) error {
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -51,12 +51,13 @@ type PodConfig struct {

 	// The following UsePod{kernelNamespace} indicate whether the containers
 	// in the pod will inherit the namespace from the first container in the pod.
-	UsePodPID   bool `json:"sharesPid,omitempty"`
-	UsePodIPC   bool `json:"sharesIpc,omitempty"`
-	UsePodNet   bool `json:"sharesNet,omitempty"`
-	UsePodMount bool `json:"sharesMnt,omitempty"`
-	UsePodUser  bool `json:"sharesUser,omitempty"`
-	UsePodUTS   bool `json:"sharesUts,omitempty"`
+	UsePodPID      bool `json:"sharesPid,omitempty"`
+	UsePodIPC      bool `json:"sharesIpc,omitempty"`
+	UsePodNet      bool `json:"sharesNet,omitempty"`
+	UsePodMount    bool `json:"sharesMnt,omitempty"`
+	UsePodUser     bool `json:"sharesUser,omitempty"`
+	UsePodUTS      bool `json:"sharesUts,omitempty"`
+	UsePodCgroupNS bool `json:"sharesCgroupNS,omitempty"`

 	InfraContainer *InfraContainerConfig `json:"infraConfig"`

@@ -167,7 +168,7 @@ func (p *Pod) SharesUTS() bool {
 // SharesCgroup returns whether containers in the pod will default to this pod's
 // cgroup instead of the default libpod parent
 func (p *Pod) SharesCgroup() bool {
-	return p.config.UsePodCgroup
+	return p.config.UsePodCgroupNS
 }

 // CgroupPath returns the path to the pod's CGroup
--- a/libpod/pod_api.go
+++ b/libpod/pod_api.go
@@ -466,6 +466,24 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	namespaces := map[string]bool{
+		"pid":    p.config.UsePodPID,
+		"ipc":    p.config.UsePodIPC,
+		"net":    p.config.UsePodNet,
+		"mount":  p.config.UsePodMount,
+		"user":   p.config.UsePodUser,
+		"uts":    p.config.UsePodUTS,
+		"cgroup": p.config.UsePodCgroupNS,
+	}
+
+	sharesNS := []string{}
+	for nsStr, include := range namespaces {
+		if include {
+			sharesNS = append(sharesNS, nsStr)
+		}
+	}
+
 	inspectData := define.InspectPodData{
 		ID:               p.ID(),
 		Name:             p.Name(),
@@ -480,7 +498,7 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
 		CreateInfra:      false,
 		InfraContainerID: p.state.InfraContainerID,
 		InfraConfig:      nil,
-		SharedNamespaces: nil,
+		SharedNamespaces: sharesNS,
 		NumContainers:    uint(len(containers)),
 		Containers:       ctrs,
 	}