From f46cd1a71a3eb5a8bea4eeadd97b18600089ff98 Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Mon, 28 Aug 2017 03:58:45 +0000 Subject: [PATCH] Disable pid namespace sharing Signed-off-by: Lantao Liu --- pkg/server/container_create.go | 5 ++++- pkg/server/container_create_test.go | 28 ++++++++++++++++++++++++---- pkg/server/helpers.go | 7 ------- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index b8c74dfab..7a4772893 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -499,5 +499,8 @@ func setOCINamespaces(g *generate.Generator, namespaces *runtime.NamespaceOption g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), getNetworkNamespace(sandboxPid)) // nolint: errcheck g.AddOrReplaceLinuxNamespace(string(runtimespec.IPCNamespace), getIPCNamespace(sandboxPid)) // nolint: errcheck g.AddOrReplaceLinuxNamespace(string(runtimespec.UTSNamespace), getUTSNamespace(sandboxPid)) // nolint: errcheck - g.AddOrReplaceLinuxNamespace(string(runtimespec.PIDNamespace), getPIDNamespace(sandboxPid)) // nolint: errcheck + // Do not share pid namespace for now. + if namespaces.GetHostPid() { + g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace)) // nolint: errcheck + } } diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go index 6d2d80c68..66c98d89e 100644 --- a/pkg/server/container_create_test.go +++ b/pkg/server/container_create_test.go @@ -166,10 +166,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox Type: runtimespec.UTSNamespace, Path: getUTSNamespace(sandboxPid), }) - assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ - Type: runtimespec.PIDNamespace, - Path: getPIDNamespace(sandboxPid), - }) } return config, sandboxConfig, imageConfig, specCheck } @@ -440,3 +436,27 @@ func TestPrivilegedBindMount(t *testing.T) { } } } + +func TestPidNamespace(t *testing.T) { + testID := "test-id" + testPid := uint32(1234) + config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() + c := newTestCRIContainerdService() + t.Logf("should not set pid namespace when host pid is true") + config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: true} + spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil) + assert.NoError(t, err) + specCheck(t, testID, testPid, spec) + for _, ns := range spec.Linux.Namespaces { + assert.NotEqual(t, ns.Type, runtimespec.PIDNamespace) + } + + t.Logf("should set pid namespace when host pid is false") + config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: false} + spec, err = c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil) + assert.NoError(t, err) + specCheck(t, testID, testPid, spec) + assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{ + Type: runtimespec.PIDNamespace, + }) +} diff --git a/pkg/server/helpers.go b/pkg/server/helpers.go index ccfc45e83..90810785e 100644 --- a/pkg/server/helpers.go +++ b/pkg/server/helpers.go @@ -82,8 +82,6 @@ const ( ipcNSFormat = "/proc/%v/ns/ipc" // utsNSFormat is the format of uts namespace of a process. utsNSFormat = "/proc/%v/ns/uts" - // pidNSFormat is the format of pid namespace of a process. - pidNSFormat = "/proc/%v/ns/pid" // devShm is the default path of /dev/shm. devShm = "/dev/shm" // etcHosts is the default path of /etc/hosts file. @@ -170,11 +168,6 @@ func getUTSNamespace(pid uint32) string { return fmt.Sprintf(utsNSFormat, pid) } -// getPIDNamespace returns the pid namespace of a process. -func getPIDNamespace(pid uint32) string { - return fmt.Sprintf(pidNSFormat, pid) -} - // criContainerStateToString formats CRI container state to string. func criContainerStateToString(state runtime.ContainerState) string { return runtime.ContainerState_name[int32(state)]