Allow CRI-O to manage IPC and UTS namespaces

This includes:
    change the options ManageNetworkNSLifecycle to ManageNSLifecycle
    add a new set of files: internal/lib/sandbox/namespaces* that takes care of namespace related functionality
    create a generic NamespaceIface interface for interacting with all three kinds of namespaces
    refactor some of runPodSandbox to reduce cyclomatic complexity
    use pinns for managing

Signed-off-by: Peter Hunt <pehunt@redhat.com>

Makefile

@@ -314,7 +314,7 @@ mock-sandbox: ${MOCKGEN}
 		${MOCKGEN_FLAGS} \
 		-package sandboxmock \
 		-destination ${MOCK_PATH}/sandbox/sandbox.go \
-		github.com/cri-o/cri-o/internal/lib/sandbox NetNsIface
+		github.com/cri-o/cri-o/internal/lib/sandbox NamespaceIface
 
 mock-image-types: ${MOCKGEN}
 	${BUILD_BIN_PATH}/mockgen \

completions/bash/crio

@@ -50,6 +50,7 @@ h
 --log-level
 --log-size-max
 --manage-network-ns-lifecycle
+--manage-ns-lifecycle
 --metrics-port
 --no-pivot
 --pause-command

completions/fish/crio.fish

@@ -72,7 +72,8 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l log-format -r -d 'Set the
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-journald -d 'Log to systemd journal (journald) in addition to kubernetes log file (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-level -s l -r -d 'Log messages above specified level: trace, debug, info, warn, error, fatal or panic'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l log-size-max -r -d 'Maximum log size in bytes for a container. If it is positive, it must be >= 8192 to match/exceed conmon read buffer'
-complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-network-ns-lifecycle -d 'Determines whether we pin and remove network namespace and manage its lifecycle (default: false)'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-network-ns-lifecycle -d 'Deprecated: this option is being replaced by `manage_ns_lifecycle`, which is described below'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l manage-ns-lifecycle -d 'Determines whether we pin and remove namespaces and manage their lifecycle (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l metrics-port -r -d 'Port for the metrics endpoint'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l no-pivot -d 'If true, the runtime will not use `pivot_root`, but instead use `MS_MOVE` (default: false)'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l pause-command -r -d 'Path to the pause executable in the pause image (default: "/pause")'

completions/zsh/_crio

@@ -7,7 +7,7 @@ it later with **--config**. Global options will modify the output.' 'wipe:wipe C
   _describe 'commands' cmds
 
   local -a opts
-  opts=('--additional-devices' '--apparmor-profile' '--bind-mount-prefix' '--cgroup-manager' '--cni-config-dir' '--cni-plugin-dir' '--config' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-mounts' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--enable-metrics' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--host-ip' '--image-volumes' '--insecure-registry' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--manage-network-ns-lifecycle' '--metrics-port' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registry' '--root' '--runroot' '--runtime' '--runtimes' '--seccomp-profile' '--selinux' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--help' '--version')
+  opts=('--additional-devices' '--apparmor-profile' '--bind-mount-prefix' '--cgroup-manager' '--cni-config-dir' '--cni-plugin-dir' '--config' '--conmon' '--conmon-cgroup' '--conmon-env' '--container-attach-socket-dir' '--container-exits-dir' '--ctr-stop-timeout' '--decryption-keys-path' '--default-capabilities' '--default-mounts' '--default-mounts-file' '--default-runtime' '--default-sysctls' '--default-transport' '--default-ulimits' '--enable-metrics' '--gid-mappings' '--global-auth-file' '--grpc-max-recv-msg-size' '--grpc-max-send-msg-size' '--hooks-dir' '--host-ip' '--image-volumes' '--insecure-registry' '--listen' '--log' '--log-dir' '--log-filter' '--log-format' '--log-journald' '--log-level' '--log-size-max' '--manage-network-ns-lifecycle' '--manage-ns-lifecycle' '--metrics-port' '--no-pivot' '--pause-command' '--pause-image' '--pause-image-auth-file' '--pids-limit' '--profile' '--profile-port' '--read-only' '--registries-conf' '--registry' '--root' '--runroot' '--runtime' '--runtimes' '--seccomp-profile' '--selinux' '--signature-policy' '--storage-driver' '--storage-opt' '--stream-address' '--stream-enable-tls' '--stream-port' '--stream-tls-ca' '--stream-tls-cert' '--stream-tls-key' '--uid-mappings' '--version-file' '--help' '--version')
   _describe 'global options' opts
 
   return

contrib/test/integration/build/cri-o.yml

@@ -31,11 +31,10 @@
 
 - name: set manage network ns lifecycle
   replace:
-    regexp: 'manage_network_ns_lifecycle.*=.*false'
-    replace: 'manage_network_ns_lifecycle = true'
+    regexp: 'manage_ns_lifecycle.*=.*false'
+    replace: 'manage_ns_lifecycle = true'
     name: /etc/crio/crio.conf
     backup: yes
-  when: manage_network_ns_lifecycle
 
 - name: install configs
   copy:

contrib/test/integration/vars.yml

@@ -4,7 +4,7 @@
 integration_selinux_enabled: True
 e2e_selinux_enabled: False
 node_e2e_selinux_enabled: False
-manage_network_ns_lifecycle: False
+manage_ns_lifecycle: True
 
 # For results.yml Paths use rsync 'source' conventions
 artifacts: "/tmp/artifacts"  # Base-directory for collection

docs/crio.8.md

@@ -53,6 +53,7 @@ crio
 [--log-size-max]=[value]
 [--log]=[value]
 [--manage-network-ns-lifecycle]
+[--manage-ns-lifecycle]
 [--metrics-port]=[value]
 [--no-pivot]
 [--pause-command]=[value]
@@ -211,7 +212,9 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--log-size-max**="": Maximum log size in bytes for a container. If it is positive, it must be >= 8192 to match/exceed conmon read buffer (default: -1)
 
-**--manage-network-ns-lifecycle**: Determines whether we pin and remove network namespace and manage its lifecycle (default: false)
+**--manage-network-ns-lifecycle**: Deprecated: this option is being replaced by `manage_ns_lifecycle`, which is described below
+
+**--manage-ns-lifecycle**: Determines whether we pin and remove namespaces and manage their lifecycle (default: false)
 
 **--metrics-port**="": Port for the metrics endpoint (default: 9090)
 

docs/crio.conf.5.md

@@ -198,7 +198,10 @@ The `crio.runtime` table contains settings pertaining to the OCI runtime used an
   The minimal amount of time in seconds to wait before issuing a timeout regarding the proper termination of the container.
 
 **manage_network_ns_lifecycle**=false
-  ManageNetworkNSLifecycle determines whether we pin and remove network namespace and manage its lifecycle.
+  **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
+
+**manage_ns_lifecycle**=false
+  ManageNSLifecycle determines whether we pin and remove namespaces and manage their lifecycle
 
 ### CRIO.RUNTIME.RUNTIMES TABLE
 The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  The runtime to use is picked based on the runtime_handler provided by the CRI.  If no runtime_handler is provided, the runtime will be picked based on the level of trust of the workload.

internal/lib/container_server.go

@@ -333,16 +333,36 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 	sb.SetSeccompProfilePath(spp)
 	sb.SetNamespaceOptions(&nsOpts)
 
-	// We add a netNS only if we can load a permanent one.
+	// We add an NS only if we can load a permanent one.
 	// Otherwise, the sandbox will live in the host namespace.
-	if c.config.ManageNetworkNSLifecycle {
-		netNsPath, err := configNetNsPath(&m)
+	if c.config.ManageNSLifecycle {
+		netNsPath, err := configNsPath(&m, rspec.NetworkNamespace)
 		if err == nil {
 			nsErr := sb.NetNsJoin(netNsPath, sb.Name())
 			// If we can't load the networking namespace
 			// because it's closed, we just set the sb netns
 			// pointer to nil. Otherwise we return an error.
-			if nsErr != nil && nsErr != sandbox.ErrClosedNetNS {
+			if nsErr != nil && nsErr != sandbox.ErrClosedNS {
+				return nsErr
+			}
+		}
+		ipcNsPath, err := configNsPath(&m, rspec.IPCNamespace)
+		if err == nil {
+			nsErr := sb.IpcNsJoin(ipcNsPath, sb.Name())
+			// If we can't load the IPC namespace
+			// because it's closed, we just set the sb ipcns
+			// pointer to nil. Otherwise we return an error.
+			if nsErr != nil && nsErr != sandbox.ErrClosedNS {
+				return nsErr
+			}
+		}
+		utsNsPath, err := configNsPath(&m, rspec.UTSNamespace)
+		if err == nil {
+			nsErr := sb.UtsNsJoin(utsNsPath, sb.Name())
+			// If we can't load the UTS namespace
+			// because it's closed, we just set the sb utsns
+			// pointer to nil. Otherwise we return an error.
+			if nsErr != nil && nsErr != sandbox.ErrClosedNS {
 				return nsErr
 			}
 		}
@@ -424,9 +444,9 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 	return nil
 }
 
-func configNetNsPath(spec *rspec.Spec) (string, error) {
+func configNsPath(spec *rspec.Spec, nsType rspec.LinuxNamespaceType) (string, error) {
 	for _, ns := range spec.Linux.Namespaces {
-		if ns.Type != rspec.NetworkNamespace {
+		if ns.Type != nsType {
 			continue
 		}