daemon: WithNamespaces(): add notes about user-namespaces
While working on this code, I noticed that there's currently an issue with userns enabled. When userns is enabled, joining another container's namespace must also join its user-namespace. However, a container can only be in a single user namespace, so if a container joins namespaces from multiple containers, latter user-namespaces overwrite former ones. We must add validation for this, but in the meantime, add notes / todo's. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
dd26e6b15e
commit
04422f5ec1
1 changed files with 6 additions and 0 deletions
|
@ -268,6 +268,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||||
})
|
})
|
||||||
if userNS {
|
if userNS {
|
||||||
// to share a net namespace, the containers must also share a user namespace.
|
// to share a net namespace, the containers must also share a user namespace.
|
||||||
|
//
|
||||||
|
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
|
||||||
setNamespace(s, specs.LinuxNamespace{
|
setNamespace(s, specs.LinuxNamespace{
|
||||||
Type: specs.UserNamespace,
|
Type: specs.UserNamespace,
|
||||||
Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()),
|
Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()),
|
||||||
|
@ -302,6 +304,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||||
})
|
})
|
||||||
if userNS {
|
if userNS {
|
||||||
// to share a IPC namespace, the containers must also share a user namespace.
|
// to share a IPC namespace, the containers must also share a user namespace.
|
||||||
|
//
|
||||||
|
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
|
||||||
setNamespace(s, specs.LinuxNamespace{
|
setNamespace(s, specs.LinuxNamespace{
|
||||||
Type: specs.UserNamespace,
|
Type: specs.UserNamespace,
|
||||||
Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()),
|
Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()),
|
||||||
|
@ -336,6 +340,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||||
})
|
})
|
||||||
if userNS {
|
if userNS {
|
||||||
// to share a PID namespace, the containers must also share a user namespace.
|
// to share a PID namespace, the containers must also share a user namespace.
|
||||||
|
//
|
||||||
|
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
|
||||||
setNamespace(s, specs.LinuxNamespace{
|
setNamespace(s, specs.LinuxNamespace{
|
||||||
Type: specs.UserNamespace,
|
Type: specs.UserNamespace,
|
||||||
Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()),
|
Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()),
|
||||||
|
|
Loading…
Reference in a new issue