Support PID NamespaceMode_TARGET

This commit adds support for the PID namespace mode TARGET when generating a container spec. The container that is created will be sharing its PID namespace with the target container that was specified by ID in the namespace options. Signed-off-by: Thomas Hartland <thomas.george.hartland@cern.ch>
2021-03-11 16:43:28 +00:00
parent 7b7a230dd2
commit b48f27df6b
4 changed files with 56 additions and 6 deletions
--- a/pkg/cri/server/helpers.go
+++ b/pkg/cri/server/helpers.go
@@ -242,6 +242,30 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
 	return &newImage, nil
 }

+// validateTargetContainer checks that a container is a valid
+// target for a container using PID NamespaceMode_TARGET.
+// The target container must be in the same sandbox and must be running.
+// Returns the target container for convenience.
+func (c *criService) validateTargetContainer(sandboxID, targetContainerID string) (containerstore.Container, error) {
+	targetContainer, err := c.containerStore.Get(targetContainerID)
+	if err != nil {
+		return containerstore.Container{}, errors.Wrapf(err, "container %q does not exist", targetContainerID)
+	}
+
+	targetSandboxID := targetContainer.Metadata.SandboxID
+	if targetSandboxID != sandboxID {
+		return containerstore.Container{},
+			errors.Errorf("container %q (sandbox %s) does not belong to sandbox %s", targetContainerID, targetSandboxID, sandboxID)
+	}
+
+	status := targetContainer.Status.Get()
+	if state := status.State(); state != runtime.ContainerState_CONTAINER_RUNNING {
+		return containerstore.Container{}, errors.Errorf("container %q is not running - in state %s", targetContainerID, state)
+	}
+
+	return targetContainer, nil
+}
+
 // isInCRIMounts checks whether a destination is in CRI mount list.
 func isInCRIMounts(dst string, mounts []*runtime.Mount) bool {
 	for _, m := range mounts {