Merge pull request #46786 from rumpl/c8d-userns-namespace

c8d: Use a specific containerd namespace when userns are remapped

cmd/dockerd/daemon.go

@@ -622,6 +622,10 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
 		conf.CDISpecDirs = nil
 	}
 
+	if err := loadCLIPlatformConfig(conf); err != nil {
+		return nil, err
+	}
+
 	return conf, nil
 }
 

cmd/dockerd/daemon_linux.go

@@ -3,11 +3,28 @@ package main
 import (
 	cdcgroups "github.com/containerd/cgroups/v3"
 	systemdDaemon "github.com/coreos/go-systemd/v22/daemon"
+	"github.com/docker/docker/daemon"
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/pkg/errors"
 )
 
+// loadCLIPlatformConfig loads the platform specific CLI configuration
+func loadCLIPlatformConfig(conf *config.Config) error {
+	if conf.RemappedRoot == "" {
+		return nil
+	}
+
+	containerdNamespace, containerdPluginNamespace, err := daemon.RemapContainerdNamespaces(conf)
+	if err != nil {
+		return err
+	}
+	conf.ContainerdNamespace = containerdNamespace
+	conf.ContainerdPluginNamespace = containerdPluginNamespace
+
+	return nil
+}
+
 // preNotifyReady sends a message to the host when the API is active, but before the daemon is
 func preNotifyReady() {
 }

cmd/dockerd/daemon_windows.go

@@ -16,6 +16,12 @@ func getDefaultDaemonConfigFile() (string, error) {
 	return "", nil
 }
 
+// loadCLIPlatformConfig loads the platform specific CLI configuration
+// there is none on windows, so this is a no-op
+func loadCLIPlatformConfig(conf *config.Config) error {
+	return nil
+}
+
 // setDefaultUmask doesn't do anything on windows
 func setDefaultUmask() error {
 	return nil

daemon/daemon.go

@@ -1520,6 +1520,34 @@ func CreateDaemonRoot(config *config.Config) error {
 	return setupDaemonRoot(config, realRoot, idMapping.RootPair())
 }
 
+// RemapContainerdNamespaces returns the right containerd namespaces to use:
+// - if they are not already set in the config file
+// -  and the daemon is running with user namespace remapping enabled
+// Then it will return new namespace names, otherwise it will return the existing
+// namespaces
+func RemapContainerdNamespaces(config *config.Config) (ns string, pluginNs string, err error) {
+	idMapping, err := setupRemappedRoot(config)
+	if err != nil {
+		return "", "", err
+	}
+	if idMapping.Empty() {
+		return config.ContainerdNamespace, config.ContainerdPluginNamespace, nil
+	}
+	root := idMapping.RootPair()
+
+	ns = config.ContainerdNamespace
+	if _, ok := config.ValuesSet["containerd-namespace"]; !ok {
+		ns = fmt.Sprintf("%s-%d.%d", config.ContainerdNamespace, root.UID, root.GID)
+	}
+
+	pluginNs = config.ContainerdPluginNamespace
+	if _, ok := config.ValuesSet["containerd-plugin-namespace"]; !ok {
+		pluginNs = fmt.Sprintf("%s-%d.%d", config.ContainerdPluginNamespace, root.UID, root.GID)
+	}
+
+	return
+}
+
 // checkpointAndSave grabs a container lock to safely call container.CheckpointTo
 func (daemon *Daemon) checkpointAndSave(container *container.Container) error {
 	container.Lock()