New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow net and IPC namespaces to be shared when userns=on #21383

Merged
merged 1 commit into from Mar 22, 2016

Conversation

Projects
None yet
4 participants
@estesp
Contributor

estesp commented Mar 22, 2016

Now that the namespace sharing code via runc is vendored with the
containerd changes, we can disable the restrictions on container to
container net and IPC namespace sharing when the daemon has user
namespaces enabled.

Docker-DCO-1.1-Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com (github: estesp)

@estesp estesp added this to the 1.11.0 milestone Mar 22, 2016

s.Linux.UIDMappings = specMapping(uidMap)
s.Linux.GIDMappings = specMapping(gidMap)
}
}

This comment has been minimized.

@estesp

estesp Mar 22, 2016

Contributor

This change is actually more minor than it appears--this is the exact block from the end of the function moved to the top to remove any need for special code at the end to determine if the userns ended up being shared or will be a newly created one during clone(). (because setNamespace does the proper job of replacement if called below)

@estesp

estesp Mar 22, 2016

Contributor

This change is actually more minor than it appears--this is the exact block from the end of the function moved to the top to remove any need for special code at the end to determine if the userns ended up being shared or will be a newly created one during clone(). (because setNamespace does the proper job of replacement if called below)

Allow net and IPC namespaces to be shared when userns=on
Now that the namespace sharing code via runc is vendored with the
containerd changes, we can disable the restrictions on container to
container net and IPC namespace sharing when the daemon has user
namespaces enabled.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
@tonistiigi

This comment has been minimized.

Show comment
Hide comment
@tonistiigi

tonistiigi Mar 22, 2016

Member

LGTM

Member

tonistiigi commented Mar 22, 2016

LGTM

@calavera

This comment has been minimized.

Show comment
Hide comment
@calavera

calavera Mar 22, 2016

Contributor

LGTM. Windows errors are unrelated, this only changes linux platform code.

Contributor

calavera commented Mar 22, 2016

LGTM. Windows errors are unrelated, this only changes linux platform code.

calavera added a commit that referenced this pull request Mar 22, 2016

Merge pull request #21383 from estesp/shared-userns-net-ipc
Allow net and IPC namespaces to be shared when userns=on

@calavera calavera merged commit 62d4556 into moby:master Mar 22, 2016

7 of 8 checks passed

windowsTP4 Jenkins build Docker-PRs-WoW-TP4 3452 has failed
Details
docker/dco-signed All commits signed
Details
documentation success
Details
experimental Jenkins build Docker-PRs-experimental 16743 has succeeded
Details
gccgo Jenkins build Docker-PRs-gccgo 3600 has succeeded
Details
janky Jenkins build Docker-PRs 25574 has succeeded
Details
userns Jenkins build Docker-PRs-userns 7810 has succeeded
Details
win2lin Jenkins build Docker-PRs-Win2Lin 23808 has succeeded
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment