From 9bd49c98c6d010c6466efa7213205b1253484508 Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Wed, 27 Mar 2019 15:05:05 -0700 Subject: [PATCH 1/2] No UTS namespace for hostnetwork. Signed-off-by: Lantao Liu --- pkg/server/sandbox_run.go | 1 + pkg/server/sandbox_run_test.go | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go index 660d09bab..aaddfd1db 100644 --- a/pkg/server/sandbox_run.go +++ b/pkg/server/sandbox_run.go @@ -385,6 +385,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod ) if nsOptions.GetNetwork() == runtime.NamespaceMode_NODE { specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.NetworkNamespace)) + specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.UTSNamespace)) } else { //TODO(Abhi): May be move this to containerd spec opts (WithLinuxSpaceOption) specOpts = append(specOpts, oci.WithLinuxNamespace( diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go index 1c8a497a7..244a94a1c 100644 --- a/pkg/server/sandbox_run_test.go +++ b/pkg/server/sandbox_run_test.go @@ -101,6 +101,9 @@ func TestGenerateSandboxContainerSpec(t *testing.T) { Type: runtimespec.NetworkNamespace, Path: nsPath, }) + assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ + Type: runtimespec.UTSNamespace, + }) assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ Type: runtimespec.PIDNamespace, }) @@ -125,6 +128,9 @@ func TestGenerateSandboxContainerSpec(t *testing.T) { assert.NotContains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ Type: runtimespec.NetworkNamespace, }) + assert.NotContains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ + Type: runtimespec.UTSNamespace, + }) assert.NotContains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ Type: runtimespec.PIDNamespace, }) From 4b4182cf592590af1842ea755e278e53486d288b Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Thu, 28 Mar 2019 01:38:04 -0700 Subject: [PATCH 2/2] Do not assume there is no duplicated elements in arrays. Signed-off-by: Lantao Liu --- integration/pod_hostname_test.go | 25 ++++++++++++++++++------- pkg/containerd/opts/spec.go | 25 +++++++++++++++---------- pkg/containerd/opts/spec_test.go | 2 +- 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/integration/pod_hostname_test.go b/integration/pod_hostname_test.go index d9886fcb8..2c0eb6977 100644 --- a/integration/pod_hostname_test.go +++ b/integration/pod_hostname_test.go @@ -34,6 +34,7 @@ func TestPodHostname(t *testing.T) { for name, test := range map[string]struct { opts []PodSandboxOpts expectedHostname string + expectErr bool }{ "regular pod with custom hostname": { opts: []PodSandboxOpts{ @@ -47,12 +48,12 @@ func TestPodHostname(t *testing.T) { }, expectedHostname: hostname, }, - "host network pod with custom hostname": { + "host network pod with custom hostname should fail": { opts: []PodSandboxOpts{ WithHostNetwork, WithPodHostname("test-hostname"), }, - expectedHostname: "test-hostname", + expectErr: true, }, } { t.Run(name, func(t *testing.T) { @@ -64,11 +65,21 @@ func TestPodHostname(t *testing.T) { t.Log("Create a sandbox with hostname") sbConfig := PodSandboxConfig("sandbox", "hostname", opts...) sb, err := runtimeService.RunPodSandbox(sbConfig, *runtimeHandler) - require.NoError(t, err) - defer func() { - assert.NoError(t, runtimeService.StopPodSandbox(sb)) - assert.NoError(t, runtimeService.RemovePodSandbox(sb)) - }() + if err != nil { + if !test.expectErr { + t.Fatalf("Unexpected RunPodSandbox error: %v", err) + } + return + } else { + // Make sure the sandbox is cleaned up. + defer func() { + assert.NoError(t, runtimeService.StopPodSandbox(sb)) + assert.NoError(t, runtimeService.RemovePodSandbox(sb)) + }() + if test.expectErr { + t.Fatalf("Expected RunPodSandbox to return error") + } + } const ( testImage = "busybox" diff --git a/pkg/containerd/opts/spec.go b/pkg/containerd/opts/spec.go index 6eb244605..0391e016b 100644 --- a/pkg/containerd/opts/spec.go +++ b/pkg/containerd/opts/spec.go @@ -64,15 +64,19 @@ func WithAdditionalGIDs(userstr string) oci.SpecOpts { } func mergeGids(gids1, gids2 []uint32) []uint32 { + gidsMap := make(map[uint32]struct{}) for _, gid1 := range gids1 { - for i, gid2 := range gids2 { - if gid1 == gid2 { - gids2 = append(gids2[:i], gids2[i+1:]...) - break - } - } + gidsMap[gid1] = struct{}{} } - return append(gids1, gids2...) + for _, gid2 := range gids2 { + gidsMap[gid2] = struct{}{} + } + var gids []uint32 + for gid := range gidsMap { + gids = append(gids, gid) + } + sort.Slice(gids, func(i, j int) bool { return gids[i] < gids[j] }) + return gids } // WithoutRunMount removes the `/run` inside the spec @@ -668,12 +672,13 @@ func WithoutNamespace(t runtimespec.LinuxNamespaceType) oci.SpecOpts { if s.Linux == nil { return nil } + var namespaces []runtimespec.LinuxNamespace for i, ns := range s.Linux.Namespaces { - if ns.Type == t { - s.Linux.Namespaces = append(s.Linux.Namespaces[:i], s.Linux.Namespaces[i+1:]...) - return nil + if ns.Type != t { + namespaces = append(namespaces, s.Linux.Namespaces[i]) } } + s.Linux.Namespaces = namespaces return nil } } diff --git a/pkg/containerd/opts/spec_test.go b/pkg/containerd/opts/spec_test.go index 0b814331d..5a7970e3b 100644 --- a/pkg/containerd/opts/spec_test.go +++ b/pkg/containerd/opts/spec_test.go @@ -28,7 +28,7 @@ import ( func TestMergeGids(t *testing.T) { gids1 := []uint32{3, 2, 1} gids2 := []uint32{2, 3, 4} - assert.Equal(t, []uint32{3, 2, 1, 4}, mergeGids(gids1, gids2)) + assert.Equal(t, []uint32{1, 2, 3, 4}, mergeGids(gids1, gids2)) } func TestOrderedMounts(t *testing.T) {