github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 20:24:31 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: set share sandbox pid namespace

Browse Source 
Set the share sandbox pid namepsace from spec

Fixes:#4680
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
This commit is contained in:
Zhongtao Hu 2022-07-18 17:31:01 +08:00
parent 3f4dd92c2d
commit 1ef3f8eac6
1 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
View File

@ -80,8 +80,8 @@ impl Container {
let mut inner = self.inner.write().await; let mut inner = self.inner.write().await;
let toml_config = self.resource_manager.config().await; let toml_config = self.resource_manager.config().await;
let config = &self.config; let config = &self.config;
amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("load spec")?; let sandbox_pidns = amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp)
.context("load spec")?;
// handler rootfs // handler rootfs
let rootfs = self let rootfs = self
.resource_manager .resource_manager
@ -143,7 +143,7 @@ impl Container {
storages, storages,
oci: Some(spec), oci: Some(spec),
guest_hooks: None, guest_hooks: None,
sandbox_pidns: false, sandbox_pidns,
rootfs_mounts: vec![], rootfs_mounts: vec![],
}; };
@ -373,7 +373,7 @@ impl Container {
} }
} }
fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> { fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<bool> {
// hook should be done on host // hook should be done on host
spec.hooks = None; spec.hooks = None;
@ -390,6 +390,8 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
resource.network = None; resource.network = None;
} }
// Host pidns path does not make sense in kata. Let's just align it with
// sandbox namespace whenever it is set.
let mut ns: Vec<oci::LinuxNamespace> = Vec::new(); let mut ns: Vec<oci::LinuxNamespace> = Vec::new();
for n in linux.namespaces.iter() { for n in linux.namespaces.iter() {
match n.r#type.as_str() { match n.r#type.as_str() {
@ -399,9 +401,27 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
} }
linux.namespaces = ns; linux.namespaces = ns;
return Ok(handle_pid_namespace(&linux.namespaces));
} }
Ok(()) Ok(false)
}
// handle_pid_namespace checks if Pid namespace for a container needs to be shared with its sandbox
// pid namespace.
fn handle_pid_namespace(namespaces: &[oci::LinuxNamespace]) -> bool {
for n in namespaces.iter() {
match n.r#type.as_str() {
oci::PIDNAMESPACE => {
if !n.path.is_empty() {
return true;
}
}
_ => continue,
}
}
false
} }
#[cfg(test)] #[cfg(test)]