c8d: Use a specific containerd namespace when userns are remapped

We need to isolate the images that we are remapping to a userns, we can't mix them with "normal" images. In the graph driver case this means we create a new root directory where we store the images and everything else, in the containerd case we can use a new namespace. Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
moby · Jan 24, 2024 · 35dbc02 · 35dbc02
1 parent 5a3a101
commit 35dbc02
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
@@ -616,6 +616,15 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
 		conf.CDISpecDirs = nil
 	}
 
+	if conf.RemappedRoot != "" {
+		containerdNamespace, containerdPluginNamespace, err := daemon.RemapContainerdNamespaces(conf)
+		if err != nil {
+			return nil, err
+		}
+		conf.ContainerdNamespace = containerdNamespace
+		conf.ContainerdPluginNamespace = containerdPluginNamespace
+	}
+
 	return conf, nil
 }
 

diff --git a/daemon/daemon.go b/daemon/daemon.go
@@ -1515,6 +1515,34 @@ func CreateDaemonRoot(config *config.Config) error {
 	return setupDaemonRoot(config, realRoot, idMapping.RootPair())
 }
 
+// RemapContainerdNamespaces returns the right containerd namespaces to use:
+// - if they are not already set in the config file
+// -  and the daemon is running with user namespace remapping enabled
+// Then it will return new namespace names, otherwise it will return the existing
+// namespaces
+func RemapContainerdNamespaces(config *config.Config) (ns string, pluginNs string, err error) {
+	idMapping, err := setupRemappedRoot(config)
+	if err != nil {
+		return "", "", err
+	}
+	if idMapping.Empty() {
+		return config.ContainerdNamespace, config.ContainerdPluginNamespace, nil
+	}
+	root := idMapping.RootPair()
+
+	ns = config.ContainerdNamespace
+	if _, ok := config.ValuesSet["containerd-namespace"]; !ok {
+		ns = fmt.Sprintf("%s-%d.%d", config.ContainerdNamespace, root.UID, root.GID)
+	}
+
+	pluginNs = config.ContainerdPluginNamespace
+	if _, ok := config.ValuesSet["containerd-plugin-namespace"]; !ok {
+		pluginNs = fmt.Sprintf("%s-%d.%d", config.ContainerdPluginNamespace, root.UID, root.GID)
+	}
+
+	return
+}
+
 // checkpointAndSave grabs a container lock to safely call container.CheckpointTo
 func (daemon *Daemon) checkpointAndSave(container *container.Container) error {
 	container.Lock()