RFC: namespaces: Allow container with agent PID namespace

This change adds a new field "agentPidns" to the CreateContainer
request. When this is set to true, the container instead of
creating and joining a new PID namespace will skip creating a PID
namespace and be in the same PID namespace as the agent/init process.

I am adding this functionality to support certain sidecar containers
such as debug/audit containers to be able to gather audit data/kernel
debug info.

Fixes #787

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

agent.go

@@ -111,6 +111,7 @@ type container struct {
 	processes       map[string]*process
 	mounts          []string
 	useSandboxPidNs bool
+	agentPidNs      bool
 	ctx             context.Context
 }
 

config.go

@@ -162,7 +162,6 @@ func parseCmdlineOption(option string) error {
 	}
 
 	return nil
-
 }
 
 func enableTracing(traceMode, traceType string) {

grpc.go

@@ -520,6 +520,13 @@ func (a *agentGRPC) updateContainerConfigNamespaces(config *configs.Config, ctr
 		config.Namespaces = append(config.Namespaces, newUTSNs)
 	}
 
+	// If container needs to be in the agent PID namespace, do not create a new
+	// PID namespace.
+	if ctr.agentPidNs {
+		agentLog.Warnf("Container shares Pid namespace with the agent, allowing container access to the agent process")
+		return
+	}
+
 	// Update PID namespace.
 	var pidNsPath string
 
@@ -643,6 +650,7 @@ func (a *agentGRPC) CreateContainer(ctx context.Context, req *pb.CreateContainer
 		processes:       make(map[string]*process),
 		mounts:          mountList,
 		useSandboxPidNs: req.SandboxPidns,
+		agentPidNs:      req.AgentPidns,
 		ctx:             ctx,
 	}
 

grpc_test.go

@@ -39,14 +39,18 @@ var testSharedUTSNs = "testSharedUTSNs"
 var testSharedIPCNs = "testSharedIPCNs"
 
 func testUpdateContainerConfigNamespacesSharedPid(t *testing.T, sharedPidNs, sharedUTSNs, sharedIPCNs string, config, expected configs.Config) {
-	testUpdateContainerConfigNamespaces(t, sharedPidNs, sharedUTSNs, sharedIPCNs, config, expected, true)
+	testUpdateContainerConfigNamespaces(t, sharedPidNs, sharedUTSNs, sharedIPCNs, config, expected, true, false)
 }
 
 func testUpdateContainerConfigNamespacesNonSharedPid(t *testing.T, sharedPidNs, sharedUTSNs, sharedIPCNs string, config, expected configs.Config) {
-	testUpdateContainerConfigNamespaces(t, sharedPidNs, sharedUTSNs, sharedIPCNs, config, expected, false)
+	testUpdateContainerConfigNamespaces(t, sharedPidNs, sharedUTSNs, sharedIPCNs, config, expected, false, false)
 }
 
-func testUpdateContainerConfigNamespaces(t *testing.T, sharedPidNs, sharedUTSNs, sharedIPCNs string, config, expected configs.Config, sharedPid bool) {
+func testUpdateContainerConfigNamespacesAgentPid(t *testing.T, sharedPidNs, sharedUTSNs, sharedIPCNs string, config, expected configs.Config) {
+	testUpdateContainerConfigNamespaces(t, sharedPidNs, sharedUTSNs, sharedIPCNs, config, expected, false, true)
+}
+
+func testUpdateContainerConfigNamespaces(t *testing.T, sharedPidNs, sharedUTSNs, sharedIPCNs string, config, expected configs.Config, sharedPid, agentPid bool) {
 	s := &sandbox{
 		sharedPidNs: namespace{
 			path: sharedPidNs,
@@ -64,6 +68,7 @@ func testUpdateContainerConfigNamespaces(t *testing.T, sharedPidNs, sharedUTSNs,
 	ctr := &container{
 		id:              contID,
 		useSandboxPidNs: sharedPid,
+		agentPidNs:      agentPid,
 	}
 
 	s.containers[contID] = ctr
@@ -171,6 +176,35 @@ func TestUpdateContainerConfigNamespacesEmptyConfig(t *testing.T) {
 	testUpdateContainerConfigNamespacesNonSharedPid(t, testSharedPidNs, testSharedUTSNs, testSharedIPCNs, configs.Config{}, expectedConfig)
 }
 
+func TestUpdateContainerConfigNamespacesAgentPidConfig(t *testing.T) {
+	config := configs.Config{
+		Namespaces: []configs.Namespace{
+			{
+				Type: configs.NEWIPC,
+			},
+			{
+				Type: configs.NEWUTS,
+			},
+		},
+	}
+
+	expectedConfig := configs.Config{
+		Namespaces: []configs.Namespace{
+			{
+				Type: configs.NEWIPC,
+				Path: testSharedIPCNs,
+			},
+			{
+				Type: configs.NEWUTS,
+				Path: testSharedUTSNs,
+			},
+		},
+	}
+
+	testUpdateContainerConfigNamespacesAgentPid(t, testSharedPidNs, testSharedUTSNs, testSharedIPCNs, config, expectedConfig)
+
+}
+
 func testUpdateContainerConfigPrivileges(t *testing.T, spec *specs.Spec, config, expected configs.Config) {
 	a := &agentGRPC{}