Merge pull request #21987 from TomSweeneyRedHat/dev/tsweeney/pickDOcker

openshift-merge-bot[bot] · web-flow · commit 9e929db1f61c · 2024-03-08T11:23:34.000Z
Backport two docker CLI compatibility fixes
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -48,6 +48,7 @@ import (
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
+	"github.com/containers/storage/pkg/unshare"
 	stypes "github.com/containers/storage/types"
 	securejoin "github.com/cyphar/filepath-securejoin"
 	runcuser "github.com/opencontainers/runc/libcontainer/user"
@@ -633,14 +634,15 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 	nofileSet := false
 	nprocSet := false
 	isRootless := rootless.IsRootless()
-	if isRootless {
-		if g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
-			var err error
-			*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
-			if err != nil {
-				return nil, nil, err
-			}
+	isRunningInUserNs := unshare.IsRootless()
+	if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
+		var err error
+		*g.Config.Process.OOMScoreAdj, err = maybeClampOOMScoreAdj(*g.Config.Process.OOMScoreAdj)
+		if err != nil {
+			return nil, nil, err
 		}
+	}
+	if isRootless {
 		for _, rlimit := range c.config.Spec.Process.Rlimits {
 			if rlimit.Type == "RLIMIT_NOFILE" {
 				nofileSet = true
diff --git a/pkg/api/handlers/compat/containers_create.go b/pkg/api/handlers/compat/containers_create.go
@@ -365,7 +365,17 @@ func cliOpts(cc handlers.CreateContainerConfig, rtc *config.Config) (*entities.C
 				}
 			}
 
-			networks[netName] = netOpts
+			// Report configuration error in case bridge mode is not used.
+			if !nsmode.IsBridge() && (len(netOpts.Aliases) > 0 || len(netOpts.StaticIPs) > 0 || len(netOpts.StaticMAC) > 0) {
+				return nil, nil, fmt.Errorf("networks and static ip/mac address can only be used with Bridge mode networking")
+			} else if nsmode.IsBridge() {
+				// Docker CLI now always sends the end point config when using the default (bridge) mode
+				// however podman configuration doesn't expect this to define this at all when not in bridge
+				// mode and the podman server config might override the default network mode to something
+				// else than bridge. So adapt to the podman expectation and define custom end point config
+				// only when really using the bridge mode.
+				networks[netName] = netOpts
+			}
 		}
 
 		netInfo.Networks = networks
diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
@@ -527,6 +527,29 @@ t GET containers/$cid/json 200 \
 
 t DELETE containers/$cid?v=true 204
 
+# test create container like Docker >= 25 cli: NetworkMode="default" but EndpointsConfig struct is explictly set and netns="host"
+t POST containers/create \
+  Image=$IMAGE \
+  HostConfig='{"NetworkMode":"default"}' \
+  NetworkingConfig='{"EndpointsConfig":{"default":{"IPAMConfig":null,"Links":null,"Aliases":null,"MacAddress":"","NetworkID":"","EndpointID":"","Gateway":"","IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"DriverOpts":null,"DNSNames":null}}}' \
+  201 \
+  .Id~[0-9a-f]\\{64\\}
+cid=$(jq -r '.Id' <<<"$output")
+t GET containers/$cid/json 200 \
+  .HostConfig.NetworkMode="host"
+
+t DELETE containers/$cid?v=true 204
+
+# test creating a container fails with netns="hosts" on podman side but keep using the default network mode
+# on docker CLI side and trying to use --ip 1.2.3.4 which is only valid for the bridge network mode (docker CLI
+# will assume the default is the bridge mode, so it's valid from docker CLI point of view).
+t POST containers/create \
+  Image=$IMAGE \
+  HostConfig='{"NetworkMode":"default"}' \
+  NetworkingConfig='{"EndpointsConfig":{"default":{"IPAMConfig":null,"Links":null,"Aliases":null,"MacAddress":"","NetworkID":"","EndpointID":"","Gateway":"","IPAddress":"1.2.3.4","IPPrefixLen":0,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"DriverOpts":null,"DNSNames":null}}}' \
+  500 \
+    .cause="networks and static ip/mac address can only be used with Bridge mode networking"
+
 # Restart with the default containers.conf for next tests.
 stop_service
 start_service

Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,17 @@ func cliOpts(cc handlers.CreateContainerConfig, rtc config.Config) (entities.C`
`365`	`365`	`}`
`366`	`366`	`}`
`367`	`367`
`368`		`- networks[netName] = netOpts`
	`368`	`+ // Report configuration error in case bridge mode is not used.`
	`369`	`+ if !nsmode.IsBridge() && (len(netOpts.Aliases) > 0 \|\| len(netOpts.StaticIPs) > 0 \|\| len(netOpts.StaticMAC) > 0) {`
	`370`	`+ return nil, nil, fmt.Errorf("networks and static ip/mac address can only be used with Bridge mode networking")`
	`371`	`+ } else if nsmode.IsBridge() {`
	`372`	`+ // Docker CLI now always sends the end point config when using the default (bridge) mode`
	`373`	`+ // however podman configuration doesn't expect this to define this at all when not in bridge`
	`374`	`+ // mode and the podman server config might override the default network mode to something`
	`375`	`+ // else than bridge. So adapt to the podman expectation and define custom end point config`
	`376`	`+ // only when really using the bridge mode.`
	`377`	`+ networks[netName] = netOpts`
	`378`	`+ }`
`369`	`379`	`}`
`370`	`380`
`371`	`381`	`netInfo.Networks = networks`