shared netns and --add-host should conflict

Because /etc/hosts is shared for all containers with a shared network namespace you should not be able to add hosts from a joined container. Only the primary netns container can set the hosts. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-08-06 19:44:14 +08:00 · 2022-04-21 12:29:31 +02:00
parent cf1b0c1965
commit e4ab8a5bed
3 changed files with 26 additions and 9 deletions
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@ -38,6 +38,13 @@ func (s *SpecGenerator) Validate() error {
 		if len(s.PortMappings) > 0 || s.PublishExposedPorts {
 			return errors.Wrap(define.ErrNetworkOnPodContainer, "published or exposed ports must be defined when the pod is created")
 		}
+		if len(s.HostAdd) > 0 {
+			return errors.Wrap(define.ErrNetworkOnPodContainer, "extra host entries must be specified on the pod")
+		}
+	}
+
+	if s.NetNS.IsContainer() && len(s.HostAdd) > 0 {
+		return errors.Wrap(ErrInvalidSpecConfig, "cannot set extra host entries when the container is joined to another containers network namespace")
 	}

 	//
--- a/test/e2e/pod_infra_container_test.go
+++ b/test/e2e/pod_infra_container_test.go
@ -377,21 +377,19 @@ var _ = Describe("Podman pod create", func() {
 		Expect(result.OutputToString()).To(ContainSubstring(infraID))
 	})

-	It("podman run --add-host in pod", func() {
-		session := podmanTest.Podman([]string{"pod", "create"})
+	It("podman run --add-host in pod should fail", func() {
+		session := podmanTest.Podman([]string{"pod", "create", "--add-host", "host1:127.0.0.1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		podID := session.OutputToString()

-		// verify we can add a host to the infra's /etc/hosts
-		// N/B: Using alpine for ping, since BB ping throws
-		//      permission denied error as of Fedora 33.
-		session = podmanTest.Podman([]string{"run", "--pod", podID, "--add-host", "foobar:127.0.0.1", ALPINE, "ping", "-c", "1", "foobar"})
+		session = podmanTest.Podman([]string{"create", "--pod", podID, "--add-host", "foobar:127.0.0.1", ALPINE, "ping", "-c", "1", "foobar"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		Expect(session).Should(ExitWithError())
+		Expect(session.ErrorToString()).To(ContainSubstring("extra host entries must be specified on the pod: network cannot be configured when it is shared with a pod"))

-		// verify we can see the other hosts of infra's /etc/hosts
-		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "ping", "-c", "1", "foobar"})
+		// verify we can see the pods hosts
+		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "ping", "-c", "1", "host1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 	})
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@ -608,6 +608,18 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		Expect(ctr2).Should(Exit(0))
 	})

+	It("podman run --net container: and --add-host should fail", func() {
+		ctrName := "ctrToJoin"
+		ctr1 := podmanTest.RunTopContainer(ctrName)
+		ctr1.WaitWithDefaultTimeout()
+		Expect(ctr1).Should(Exit(0))
+
+		ctr2 := podmanTest.Podman([]string{"run", "-d", "--net=container:" + ctrName, "--add-host", "host1:127.0.0.1", ALPINE, "true"})
+		ctr2.WaitWithDefaultTimeout()
+		Expect(ctr2).Should(ExitWithError())
+		Expect(ctr2.ErrorToString()).Should(ContainSubstring("cannot set extra host entries when the container is joined to another containers network namespace: invalid configuration"))
+	})
+
 	It("podman run --net container: copies hosts and resolv", func() {
 		ctrName := "ctr1"
 		ctr1 := podmanTest.RunTopContainer(ctrName)