Disable pid namespace sharing

Signed-off-by: Lantao Liu <lantaol@google.com>

pkg/server/container_create.go

@@ -499,5 +499,8 @@ func setOCINamespaces(g *generate.Generator, namespaces *runtime.NamespaceOption
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), getNetworkNamespace(sandboxPid)) // nolint: errcheck
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.IPCNamespace), getIPCNamespace(sandboxPid))         // nolint: errcheck
 	g.AddOrReplaceLinuxNamespace(string(runtimespec.UTSNamespace), getUTSNamespace(sandboxPid))         // nolint: errcheck
-	g.AddOrReplaceLinuxNamespace(string(runtimespec.PIDNamespace), getPIDNamespace(sandboxPid))         // nolint: errcheck
+	// Do not share pid namespace for now.
+	if namespaces.GetHostPid() {
+		g.RemoveLinuxNamespace(string(runtimespec.PIDNamespace)) // nolint: errcheck
+	}
 }

pkg/server/container_create_test.go

@@ -166,10 +166,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 			Type: runtimespec.UTSNamespace,
 			Path: getUTSNamespace(sandboxPid),
 		})
-		assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{
-			Type: runtimespec.PIDNamespace,
-			Path: getPIDNamespace(sandboxPid),
-		})
 	}
 	return config, sandboxConfig, imageConfig, specCheck
 }
@@ -440,3 +436,27 @@ func TestPrivilegedBindMount(t *testing.T) {
 		}
 	}
 }
+
+func TestPidNamespace(t *testing.T) {
+	testID := "test-id"
+	testPid := uint32(1234)
+	config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
+	c := newTestCRIContainerdService()
+	t.Logf("should not set pid namespace when host pid is true")
+	config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: true}
+	spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil)
+	assert.NoError(t, err)
+	specCheck(t, testID, testPid, spec)
+	for _, ns := range spec.Linux.Namespaces {
+		assert.NotEqual(t, ns.Type, runtimespec.PIDNamespace)
+	}
+
+	t.Logf("should set pid namespace when host pid is false")
+	config.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{HostPid: false}
+	spec, err = c.generateContainerSpec(testID, testPid, config, sandboxConfig, imageConfig, nil)
+	assert.NoError(t, err)
+	specCheck(t, testID, testPid, spec)
+	assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{
+		Type: runtimespec.PIDNamespace,
+	})
+}

pkg/server/helpers.go

@@ -82,8 +82,6 @@ const (
 	ipcNSFormat = "/proc/%v/ns/ipc"
 	// utsNSFormat is the format of uts namespace of a process.
 	utsNSFormat = "/proc/%v/ns/uts"
-	// pidNSFormat is the format of pid namespace of a process.
-	pidNSFormat = "/proc/%v/ns/pid"
 	// devShm is the default path of /dev/shm.
 	devShm = "/dev/shm"
 	// etcHosts is the default path of /etc/hosts file.
@@ -170,11 +168,6 @@ func getUTSNamespace(pid uint32) string {
 	return fmt.Sprintf(utsNSFormat, pid)
 }
 
-// getPIDNamespace returns the pid namespace of a process.
-func getPIDNamespace(pid uint32) string {
-	return fmt.Sprintf(pidNSFormat, pid)
-}
-
 // criContainerStateToString formats CRI container state to string.
 func criContainerStateToString(state runtime.ContainerState) string {
 	return runtime.ContainerState_name[int32(state)]