github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cri/sbserver: Fix net.ipv4.ping_group_range with userns

Browse Source 
This commit just updates the sbserver with the same fix we did on main:
	9bf5aeca77 ("cri: Fix net.ipv4.ping_group_range with userns ")

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos 2023-07-07 17:33:49 +02:00
parent 36a96d7f32
commit 1c6e268447
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
View File

@ -166,10 +166,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
if c.config.EnableUnprivilegedPorts && !ipUnprivilegedPortStart {
sysctls["net.ipv4.ip_unprivileged_port_start"] = "0"
}
// TODO (rata): We need to set this only if the pod will
// **not** use user namespaces either.
// This will be done when user namespaces is ported to sbserver.
if c.config.EnableUnprivilegedICMP && !pingGroupRange && !userns.RunningInUserNS() {
if c.config.EnableUnprivilegedICMP && !pingGroupRange && !userns.RunningInUserNS() && !usernsEnabled {
sysctls["net.ipv4.ping_group_range"] = "0 2147483647"
}
}