From 04422f5ec1c5b8c962cc37955055599937867c5e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sat, 12 Aug 2023 21:37:41 +0200
Subject: [PATCH] daemon: WithNamespaces(): add notes about user-namespaces

While working on this code, I noticed that there's currently an issue
with userns enabled. When userns is enabled, joining another container's
namespace must also join its user-namespace.

However, a container can only be in a single user namespace, so if a
container joins namespaces from multiple containers, latter user-namespaces
overwrite former ones.

We must add validation for this, but in the meantime, add notes / todo's.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 daemon/oci_linux.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 3f48bda80d..fc19ca04e0 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -268,6 +268,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
 				})
 				if userNS {
 					// to share a net namespace, the containers must also share a user namespace.
+					//
+					// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
 					setNamespace(s, specs.LinuxNamespace{
 						Type: specs.UserNamespace,
 						Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()),
@@ -302,6 +304,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			})
 			if userNS {
 				// to share a IPC namespace, the containers must also share a user namespace.
+				//
+				// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
 				setNamespace(s, specs.LinuxNamespace{
 					Type: specs.UserNamespace,
 					Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()),
@@ -336,6 +340,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			})
 			if userNS {
 				// to share a PID namespace, the containers must also share a user namespace.
+				//
+				// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
 				setNamespace(s, specs.LinuxNamespace{
 					Type: specs.UserNamespace,
 					Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()),