From fb9ce5d4824aac27e4c807a19b1801a64cfcbc7d Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Fri, 7 Jul 2023 17:28:04 +0200 Subject: [PATCH] cri/sbserver: Support pods with user namespaces This patch requests the OCI runtime to create a userns when the CRI message includes such request. This is an adaptation of a7adeb6976 ("cri: Support pods with user namespaces") to sbserver, although the container_create.go parts were already ported as part of 40be96efa9 ("Have separate spec builder for each platform"), Signed-off-by: Rodrigo Campos --- .../sbserver/podsandbox/sandbox_run_linux.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go index 2e7712a13..65c33c061 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go @@ -92,6 +92,25 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.IPCNamespace)) } + usernsOpts := nsOptions.GetUsernsOptions() + uids, gids, err := parseUsernsIDs(usernsOpts) + var usernsEnabled bool + if err != nil { + return nil, fmt.Errorf("user namespace configuration: %w", err) + } + + if usernsOpts != nil { + switch mode := usernsOpts.GetMode(); mode { + case runtime.NamespaceMode_NODE: + specOpts = append(specOpts, customopts.WithoutNamespace(runtimespec.UserNamespace)) + case runtime.NamespaceMode_POD: + specOpts = append(specOpts, oci.WithUserNamespace(uids, gids)) + usernsEnabled = true + default: + return nil, fmt.Errorf("unsupported user namespace mode: %q", mode) + } + } + // It's fine to generate the spec before the sandbox /dev/shm // is actually created. sandboxDevShm := c.getSandboxDevShm(id)