api/types/container: PidMode: fix validation for empty container name/ID

Commit e7d75c8db7da8be0ae45a1abba5652658c536a2a fixed validation of "host"
mode values, but also introduced a regression for validating "container:"
mode PID-modes.

PID-mode implemented a stricter validation than the other options and, unlike
the other options, did not accept an empty container name/ID. This feature was
originally implemented in fb43ef649bc6aa11ca19c0e046518e85e1c7e2fa, added some
some integration tests (but no coverage for this case), and the related changes
in the API types did not have unit-tests.

While a later change (d4aec5f0a680b6b01bb720830451a93c6ec398e6) added a test
for the `--pid=container:` (empty name) case, that test was later migrated to
the CLI repository, as it covered parsing the flag (and validating the result).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

api/types/container/hostconfig.go

@@ -116,6 +116,7 @@ func (n IpcMode) IsEmpty() bool {
 
 // Valid indicates whether the ipc mode is valid.
 func (n IpcMode) Valid() bool {
+	// TODO(thaJeztah): align with PidMode, and consider container-mode without a container name/ID to be invalid.
 	return n.IsEmpty() || n.IsNone() || n.IsPrivate() || n.IsHost() || n.IsShareable() || n.IsContainer()
 }
 
@@ -194,6 +195,7 @@ func (c CgroupSpec) IsContainer() bool {
 
 // Valid indicates whether the cgroup spec is valid.
 func (c CgroupSpec) Valid() bool {
+	// TODO(thaJeztah): align with PidMode, and consider container-mode without a container name/ID to be invalid.
 	return c == "" || c.IsContainer()
 }
 
@@ -242,7 +244,7 @@ func (n PidMode) IsContainer() bool {
 
 // Valid indicates whether the pid namespace is valid.
 func (n PidMode) Valid() bool {
-	return n == "" || n.IsHost() || n.IsContainer()
+	return n == "" || n.IsHost() || validContainer(string(n))
 }
 
 // Container returns the name of the container whose pid namespace is going to be used.
@@ -446,3 +448,10 @@ func containerID(val string) (idOrName string, ok bool) {
 	}
 	return v, true
 }
+
+// validContainer checks if the given value is a "container:" mode with
+// a non-empty name/ID.
+func validContainer(val string) bool {
+	id, ok := containerID(val)
+	return ok && id != ""
+}

api/types/container/hostconfig_unix_test.go

@@ -199,7 +199,7 @@ func TestPidMode(t *testing.T) {
 		"host:":                 {valid: false, private: true},
 		"host:name":             {valid: false, private: true},
 		"container":             {valid: false, private: true},
-		"container:":            {valid: true, private: false, container: true, ctrName: ""},
+		"container:":            {valid: false, private: false, container: true, ctrName: ""},
 		"container:name":        {valid: true, private: false, container: true, ctrName: "name"},
 		"container:name1:name2": {valid: true, private: false, container: true, ctrName: "name1:name2"},
 	}