github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-01 17:06:28 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4681 from Tim-0731-Hzt/runtime-rs-sharepid

Browse Source 
runtime-rs: fix set share sandbox pid namespace
This commit is contained in:
Bin Liu
2022-07-27 21:43:58 +08:00
committed by GitHub
parent 129335714b b3147411e3
commit 50b0b7cc15
1 changed files with 60 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
View File

@@ -80,8 +80,8 @@ impl Container {
let mut inner = self.inner.write().await; let mut inner = self.inner.write().await;
let toml_config = self.resource_manager.config().await; let toml_config = self.resource_manager.config().await;
let config = &self.config; let config = &self.config;
amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("load spec")?; let sandbox_pidns = amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp)
.context("load spec")?;
// handler rootfs // handler rootfs
let rootfs = self let rootfs = self
.resource_manager .resource_manager
@@ -143,7 +143,7 @@ impl Container {
storages, storages,
oci: Some(spec), oci: Some(spec),
guest_hooks: None, guest_hooks: None,
sandbox_pidns: false, sandbox_pidns,
rootfs_mounts: vec![], rootfs_mounts: vec![],
}; };
@@ -373,7 +373,7 @@ impl Container {
} }
} }
fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> { fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<bool> {
// hook should be done on host // hook should be done on host
spec.hooks = None; spec.hooks = None;
@@ -390,6 +390,8 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
resource.network = None; resource.network = None;
} }
// Host pidns path does not make sense in kata. Let's just align it with
// sandbox namespace whenever it is set.
let mut ns: Vec<oci::LinuxNamespace> = Vec::new(); let mut ns: Vec<oci::LinuxNamespace> = Vec::new();
for n in linux.namespaces.iter() { for n in linux.namespaces.iter() {
match n.r#type.as_str() { match n.r#type.as_str() {
@@ -399,15 +401,33 @@ fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
} }
linux.namespaces = ns; linux.namespaces = ns;
return Ok(handle_pid_namespace(&linux.namespaces));
} }
Ok(()) Ok(false)
}
// handle_pid_namespace checks if Pid namespace for a container needs to be shared with its sandbox
// pid namespace.
fn handle_pid_namespace(namespaces: &[oci::LinuxNamespace]) -> bool {
for n in namespaces.iter() {
match n.r#type.as_str() {
oci::PIDNAMESPACE => {
if !n.path.is_empty() {
return true;
}
}
_ => continue,
}
}
false
} }
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::amend_spec; use super::amend_spec;
use crate::container_manager::container::handle_pid_namespace;
#[test] #[test]
fn test_amend_spec_disable_guest_seccomp() { fn test_amend_spec_disable_guest_seccomp() {
let mut spec = oci::Spec { let mut spec = oci::Spec {
@@ -428,4 +448,38 @@ mod tests {
amend_spec(&mut spec, true).unwrap(); amend_spec(&mut spec, true).unwrap();
assert!(spec.linux.as_ref().unwrap().seccomp.is_none()); assert!(spec.linux.as_ref().unwrap().seccomp.is_none());
} }
#[test]
fn test_handle_pid_namespace() {
let namespaces = vec![
oci::LinuxNamespace {
r#type: "pid".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "network".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "ipc".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "uts".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "mount".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "user".to_string(),
path: "".to_string(),
},
oci::LinuxNamespace {
r#type: "cgroup".to_string(),
path: "".to_string(),
},
];
assert!(!handle_pid_namespace(&namespaces));
}
} }