diff --git a/pkg/api/validation/validation_test.go b/pkg/api/validation/validation_test.go index 81c0fd6722f..773c2decd9f 100644 --- a/pkg/api/validation/validation_test.go +++ b/pkg/api/validation/validation_test.go @@ -1259,6 +1259,20 @@ func TestValidatePodSpec(t *testing.T) { RestartPolicy: api.RestartPolicyAlways, DNSPolicy: api.DNSClusterFirst, }, + { // Populate HostIPC. + HostIPC: true, + Volumes: []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}}, + Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, + RestartPolicy: api.RestartPolicyAlways, + DNSPolicy: api.DNSClusterFirst, + }, + { // Populate HostPID. + HostPID: true, + Volumes: []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}}, + Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, + RestartPolicy: api.RestartPolicyAlways, + DNSPolicy: api.DNSClusterFirst, + }, } for i := range successCases { if errs := ValidatePodSpec(&successCases[i]); len(errs) != 0 { @@ -1306,7 +1320,6 @@ func TestValidatePodSpec(t *testing.T) { }, }, HostNetwork: true, - HostIPC: true, RestartPolicy: api.RestartPolicyAlways, DNSPolicy: api.DNSClusterFirst, }, diff --git a/pkg/kubelet/dockertools/manager.go b/pkg/kubelet/dockertools/manager.go index 8ff27b115fe..8395e8a7928 100644 --- a/pkg/kubelet/dockertools/manager.go +++ b/pkg/kubelet/dockertools/manager.go @@ -1557,7 +1557,7 @@ func (dm *DockerManager) createPodInfraContainer(pod *api.Pod) (kubeletTypes.Doc return "", err } - id, err := dm.runContainerInPod(pod, container, netNamespace, getIPCMode(pod, ""), getPidMode(pod)) + id, err := dm.runContainerInPod(pod, container, netNamespace, getIPCMode(pod), getPidMode(pod)) if err != nil { return "", err } @@ -1812,8 +1812,12 @@ func (dm *DockerManager) SyncPod(pod *api.Pod, runningPod kubecontainer.Pod, pod } // TODO(dawnchen): Check RestartPolicy.DelaySeconds before restart a container + // Note: when configuring the pod's containers anything that can be configured by pointing + // to the namespace of the infra container should use namespaceMode. This includes things like the net namespace + // and IPC namespace. PID mode cannot point to another container right now. + // See createPodInfraContainer for infra container setup. namespaceMode := fmt.Sprintf("container:%v", podInfraContainerID) - _, err = dm.runContainerInPod(pod, container, namespaceMode, getIPCMode(pod, namespaceMode), getPidMode(pod)) + _, err = dm.runContainerInPod(pod, container, namespaceMode, namespaceMode, getPidMode(pod)) dm.updateReasonCache(pod, container, "RunContainerError", err) if err != nil { // TODO(bburns) : Perhaps blacklist a container after N failures? @@ -1938,7 +1942,8 @@ func getPidMode(pod *api.Pod) string { } // getIPCMode returns the ipc mode to use on the docker container based on pod.Spec.HostIPC. -func getIPCMode(pod *api.Pod, ipcMode string) string { +func getIPCMode(pod *api.Pod) string { + ipcMode := "" if pod.Spec.HostIPC { ipcMode = "host" } diff --git a/pkg/kubelet/dockertools/manager_test.go b/pkg/kubelet/dockertools/manager_test.go index bbc6d3aa246..93c5e7aaa0d 100644 --- a/pkg/kubelet/dockertools/manager_test.go +++ b/pkg/kubelet/dockertools/manager_test.go @@ -2071,7 +2071,7 @@ func TestGetPidMode(t *testing.T) { func TestGetIPCMode(t *testing.T) { // test false pod := &api.Pod{} - ipcMode := getIPCMode(pod, "") + ipcMode := getIPCMode(pod) if ipcMode != "" { t.Errorf("expected empty ipc mode for pod but got %v", ipcMode) @@ -2079,7 +2079,7 @@ func TestGetIPCMode(t *testing.T) { // test true pod.Spec.HostIPC = true - ipcMode = getIPCMode(pod, "") + ipcMode = getIPCMode(pod) if ipcMode != "host" { t.Errorf("expected host ipc mode for pod but got %v", ipcMode) }