Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_net

openshift-merge-robot · web-flow · commit ffe2b1e95a86 · 2021-01-05T17:08:31.000-05:00
Ignore containers.conf sysctls when sharing namespaces
diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go
@@ -159,6 +159,34 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
 		g.AddMount(devPts)
 	}
 
+	// Add default sysctls from containers.conf
+	defaultSysctls, err := util.ValidateSysctls(r.config.Sysctls())
+	if err != nil {
+		return nil, err
+	}
+	for sysctlKey, sysctlVal := range defaultSysctls {
+		// Ignore mqueue sysctls if not sharing IPC
+		if !p.config.UsePodIPC && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace for pod is unused", sysctlKey, sysctlVal)
+
+			continue
+		}
+
+		// Ignore net sysctls if host network or not sharing network
+		if (p.config.InfraContainer.HostNetwork || !p.config.UsePodNet) && strings.HasPrefix(sysctlKey, "net.") {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since Network Namespace for pod is unused", sysctlKey, sysctlVal)
+			continue
+		}
+
+		// Ignore uts sysctls if not sharing UTS
+		if !p.config.UsePodUTS && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since UTS Namespace for pod is unused", sysctlKey, sysctlVal)
+			continue
+		}
+
+		g.AddLinuxSysctl(sysctlKey, sysctlVal)
+	}
+
 	containerName := p.ID()[:IDTruncLength] + "-infra"
 	options = append(options, r.WithPod(p))
 	options = append(options, WithRootFSFromImage(imgID, imgName, rawImageName))
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
@@ -178,6 +178,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 
 	g.SetRootReadonly(s.ReadOnlyFilesystem)
 
+	noUseIPC := s.IpcNS.NSMode == specgen.FromContainer || s.IpcNS.NSMode == specgen.FromPod || s.IpcNS.NSMode == specgen.Host
+	noUseNet := s.NetNS.NSMode == specgen.FromContainer || s.NetNS.NSMode == specgen.FromPod || s.NetNS.NSMode == specgen.Host
+	noUseUTS := s.UtsNS.NSMode == specgen.FromContainer || s.UtsNS.NSMode == specgen.FromPod || s.UtsNS.NSMode == specgen.Host
+
 	// Add default sysctls
 	defaultSysctls, err := util.ValidateSysctls(rtc.Sysctls())
 	if err != nil {
@@ -186,20 +190,20 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	for sysctlKey, sysctlVal := range defaultSysctls {
 
 		// Ignore mqueue sysctls if --ipc=host
-		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+		if noUseIPC && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal)
 
 			continue
 		}
 
 		// Ignore net sysctls if --net=host
-		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+		if noUseNet && strings.HasPrefix(sysctlKey, "net.") {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since Network Namespace set to host", sysctlKey, sysctlVal)
 			continue
 		}
 
 		// Ignore uts sysctls if --uts=host
-		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+		if noUseUTS && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since UTS Namespace set to host", sysctlKey, sysctlVal)
 			continue
 		}
