From 1dca64fffd344c770e2380100ee835cc6281060e Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 8 Nov 2018 13:58:57 -0800 Subject: [PATCH] Use shareable IPC for sandbox container Currently, Docker make IPC of every container shareable by default, which means other containers can join it's IPC namespace. This is implemented by creating a tmpfs mount on the host, and then bind-mounting it to a container's /dev/shm. Other containers that want to share the same IPC (and the same /dev/shm) can also bind-mount the very same host's mount. Now, since https://github.com/moby/moby/commit/7120976d7 (https://github.com/moby/moby/pull/34087) there is a possiblity to have per-daemon default of having "private" IPC mode, meaning all the containers created will have non-shareable /dev/shm. For shared IPC to work in the above scenario, we need to explicitly make the "pause" container's IPC mode as "shareable", which is what this commit does. To test: add "default-ipc-mode: private" to /etc/docker/daemon.json, try using kube as usual, there should be no errors. Signed-off-by: Kir Kolyshkin --- pkg/kubelet/dockershim/docker_sandbox.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go index 0443793d8db..01d7f9b4951 100644 --- a/pkg/kubelet/dockershim/docker_sandbox.go +++ b/pkg/kubelet/dockershim/docker_sandbox.go @@ -593,7 +593,9 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig, // TODO(random-liu): Deprecate this label once container metrics is directly got from CRI. labels[types.KubernetesContainerNameLabel] = sandboxContainerName - hc := &dockercontainer.HostConfig{} + hc := &dockercontainer.HostConfig{ + IpcMode: dockercontainer.IpcMode("shareable"), + } createConfig := &dockertypes.ContainerCreateConfig{ Name: makeSandboxName(c), Config: &dockercontainer.Config{