Disable pid namespace sharing

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-08-28 03:58:45 +00:00 · 2017-08-28 03:58:45 +00:00 · f46cd1a71a
commit f46cd1a71a
parent 8fd54d2f2d
3 changed files with 28 additions and 12 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -499,5 +499,8 @@ func setOCINamespaces(g *generate.Generator, namespaces *runtime.NamespaceOption
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), getNetworkNamespace(sandboxPid)) // nolint: errcheck
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.IPCNamespace), getIPCNamespace(sandboxPid))         // nolint: errcheck
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.UTSNamespace), getUTSNamespace(sandboxPid))         // nolint: errcheck
-	g.AddOrReplaceLinuxNamespace(string(runtimespec.PIDNamespace), getPIDNamespace(sandboxPid))         // nolint: errcheck
+	// Do not share pid namespace for now.
 	if namespaces.GetHostPid() {
 		g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace)) // nolint: errcheck
 	}
 }
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -166,10 +166,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 			Type: runtimespec.UTSNamespace,
 			Path: getUTSNamespace(sandboxPid),
 		})
 		assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{
 			Type: runtimespec.PIDNamespace,
 			Path: getPIDNamespace(sandboxPid),
 		})
 	}
 	return config, sandboxConfig, imageConfig, specCheck
 }
@ -440,3 +436,27 @@ func TestPrivilegedBindMount(t *testing.T) {
 		}
 	}
 }
 func TestPidNamespace(t *testing.T) {
 	testID := "test-id"
 	testPid := uint32(1234)
 	config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
 	c := newTestCRIContainerdService()
 	t.Logf("should not set pid namespace when host pid is true")
 	config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: true}
 	spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil)
 	assert.NoError(t, err)
 	specCheck(t, testID, testPid, spec)
 	for _, ns := range spec.Linux.Namespaces {
 		assert.NotEqual(t, ns.Type, runtimespec.PIDNamespace)
 	}
 	t.Logf("should set pid namespace when host pid is false")
 	config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: false}
 	spec, err = c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil)
 	assert.NoError(t, err)
 	specCheck(t, testID, testPid, spec)
 	assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{
 		Type: runtimespec.PIDNamespace,
 	})
 }
--- a/pkg/server/helpers.go
+++ b/pkg/server/helpers.go
@ -82,8 +82,6 @@ const (
 	ipcNSFormat = "/proc/%v/ns/ipc"
 	// utsNSFormat is the format of uts namespace of a process.
 	utsNSFormat = "/proc/%v/ns/uts"
 	// pidNSFormat is the format of pid namespace of a process.
 	pidNSFormat = "/proc/%v/ns/pid"
 	// devShm is the default path of /dev/shm.
 	devShm = "/dev/shm"
 	// etcHosts is the default path of /etc/hosts file.
@ -170,11 +168,6 @@ func getUTSNamespace(pid uint32) string {
 	return fmt.Sprintf(utsNSFormat, pid)
 }
 // getPIDNamespace returns the pid namespace of a process.
 func getPIDNamespace(pid uint32) string {
 	return fmt.Sprintf(pidNSFormat, pid)
 }
 // criContainerStateToString formats CRI container state to string.
 func criContainerStateToString(state runtime.ContainerState) string {
 	return runtime.ContainerState_name[int32(state)]