runtime-rs: set share sandbox pid namespace

Set the share sandbox pid namepsace from spec Fixes:#4680 Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
2025-04-28 19:54:35 +00:00 · 2022-07-18 17:31:01 +08:00 · 2022-07-18 17:31:01 +08:00 · 1ef3f8eac6
commit 1ef3f8eac6
parent 3f4dd92c2d
1 changed files with 25 additions and 5 deletions
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@ -80,8 +80,8 @@ impl Container {
        let mut inner = self.inner.write().await;
        let toml_config = self.resource_manager.config().await;
        let config = &self.config;
-        amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("load spec")?;
-
+        let sandbox_pidns = amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp)
+            .context("load spec")?;
        // handler rootfs
        let rootfs = self
            .resource_manager
@ -143,7 +143,7 @@ impl Container {
            storages,
            oci: Some(spec),
            guest_hooks: None,
-            sandbox_pidns: false,
+            sandbox_pidns,
            rootfs_mounts: vec![],
        };

@ -373,7 +373,7 @@ impl Container {
    }
 }

-fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
+fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<bool> {
    // hook should be done on host
    spec.hooks = None;

@ -390,6 +390,8 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
            resource.network = None;
        }

+        // Host pidns path does not make sense in kata. Let's just align it with
+        // sandbox namespace whenever it is set.
        let mut ns: Vec<oci::LinuxNamespace> = Vec::new();
        for n in linux.namespaces.iter() {
            match n.r#type.as_str() {
@ -399,9 +401,27 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
        }

        linux.namespaces = ns;
+
+        return Ok(handle_pid_namespace(&linux.namespaces));
    }

-    Ok(())
+    Ok(false)
+}
+
+// handle_pid_namespace checks if Pid namespace for a container needs to be shared with its sandbox
+// pid namespace.
+fn handle_pid_namespace(namespaces: &[oci::LinuxNamespace]) -> bool {
+    for n in namespaces.iter() {
+        match n.r#type.as_str() {
+            oci::PIDNAMESPACE => {
+                if !n.path.is_empty() {
+                    return true;
+                }
+            }
+            _ => continue,
+        }
+    }
+    false
 }

 #[cfg(test)]