daemon: WithNamespaces(): add notes about user-namespaces

While working on this code, I noticed that there's currently an issue
with userns enabled. When userns is enabled, joining another container's
namespace must also join its user-namespace.

However, a container can only be in a single user namespace, so if a
container joins namespaces from multiple containers, latter user-namespaces
overwrite former ones.

We must add validation for this, but in the meantime, add notes / todo's.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2023-08-12 21:37:41 +02:00
parent dd26e6b15e
commit 04422f5ec1
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C

View file

@ -268,6 +268,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
}) })
if userNS { if userNS {
// to share a net namespace, the containers must also share a user namespace. // to share a net namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{ setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace, Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()), Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()),
@ -302,6 +304,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
}) })
if userNS { if userNS {
// to share a IPC namespace, the containers must also share a user namespace. // to share a IPC namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{ setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace, Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()), Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()),
@ -336,6 +340,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
}) })
if userNS { if userNS {
// to share a PID namespace, the containers must also share a user namespace. // to share a PID namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{ setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace, Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()), Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()),