Merge pull request #56 from justincormack/host-root

Change the default namespaces
2025-07-21 18:11:35 +00:00 · 2017-05-30 15:35:01 +01:00 · 2017-05-30 15:35:01 +01:00 · 5cd1e4e2ae
commit 5cd1e4e2ae
parent 101fa30ef3 dfd57aeeee
1 changed files with 45 additions and 22 deletions
--- a/cmd/moby/config.go
+++ b/cmd/moby/config.go
@ -375,6 +375,18 @@ func assignStringEmpty(v1, v2 string) string {
 	return v1
 }
 // assignStringEmpty3 does ordered overrides if strings are empty, for
 // values where there is always an explicit override eg "none"
 func assignStringEmpty3(v1, v2, v3 string) string {
 	if v3 != "" {
 		return v3
 	}
 	if v2 != "" {
 		return v2
 	}
 	return v1
 }
 // assign StringEmpty4 does ordered overrides if strings are empty, for
 // values where there is always an explicit override eg "none"
 func assignStringEmpty4(v1, v2, v3, v4 string) string {
@ -390,14 +402,6 @@ func assignStringEmpty4(v1, v2, v3, v4 string) string {
 	return v1
 }
 // emptyNone replaces "none" with the empty string
 func emptyNone(v string) string {
 	if v == "none" {
 		return ""
 	}
 	return v
 }
 // ConfigInspectToOCI converts a config and the output of image inspect to an OCI config
 func ConfigInspectToOCI(yaml MobyImage, inspect types.ImageInspect) (specs.Spec, error) {
 	oci := specs.Spec{}
@ -518,25 +522,44 @@ func ConfigInspectToOCI(yaml MobyImage, inspect types.ImageInspect) (specs.Spec,
 	namespaces := []specs.LinuxNamespace{}
 	// to attach to an existing namespace, easiest to bind mount with nsfs in a system container
-	netNS := assignStringEmpty(label.Net, yaml.Net)
+
-	if netNS != "host" {
+	// net, ipc and uts namespaces: default to not creating a new namespace (usually host namespace)
-		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: emptyNone(netNS)})
+	netNS := assignStringEmpty3("root", label.Net, yaml.Net)
 	if netNS != "host" && netNS != "root" {
 		if netNS == "none" || netNS == "new" {
 			netNS = ""
 		}
 		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: netNS})
 	}
 	ipcNS := assignStringEmpty3("root", label.Ipc, yaml.Ipc)
 	if ipcNS != "host" && ipcNS != "root" {
 		if ipcNS == "new" {
 			ipcNS = ""
 		}
 		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.IPCNamespace, Path: ipcNS})
 	}
 	utsNS := assignStringEmpty3("root", label.Uts, yaml.Uts)
 	if utsNS != "host" && utsNS != "root" {
 		if utsNS == "new" {
 			utsNS = ""
 		}
 		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.UTSNamespace, Path: utsNS})
 	}
 	// default to creating a new pid namespace
 	pidNS := assignStringEmpty(label.Pid, yaml.Pid)
-	if pidNS != "host" {
+	if pidNS != "host" && pidNS != "root" {
-		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.PIDNamespace, Path: emptyNone(pidNS)})
+		if pidNS == "new" {
 			pidNS = ""
 		}
-	ipcNS := assignStringEmpty(label.Ipc, yaml.Ipc)
+		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.PIDNamespace, Path: pidNS})
 	if ipcNS != "host" {
 		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.IPCNamespace, Path: emptyNone(ipcNS)})
 	}
-	utsNS := assignStringEmpty(label.Uts, yaml.Uts)
+
-	if utsNS != "host" {
+	// Always create a new mount namespace
 		namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.UTSNamespace, Path: emptyNone(utsNS)})
 	}
 	// TODO user, cgroup namespaces, maybe mount=host if useful
 	namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.MountNamespace})
 	// TODO user, cgroup namespaces
 	caps := assignStrings(label.Capabilities, yaml.Capabilities)
 	if len(caps) == 1 {
 		switch cap := strings.ToLower(caps[0]); cap {