New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
rootless: support --pid=host #41893
rootless: support --pid=host #41893
Conversation
rootless/specconv/specconv_linux.go
Outdated
// Replace procfs mount with rbind | ||
// https://github.com/containers/podman/blob/v3.0.0-rc1/pkg/specgen/generate/oci.go#L248-L257 | ||
for i, m := range spec.Mounts { | ||
if filepath.Clean(m.Destination) == "/proc" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can use path.Clean
as well (instead of filepath
. Do we want a fast-path here in case no cleaning is needed?
if filepath.Clean(m.Destination) == "/proc" { | |
if m.Destination == "/proc" || path.Clean(m.Destination) == "/proc" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes the code longer and I feel less readable, but just my feeling
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too bad we don't have a spec requirement that the paths should be absolute and cleaned.
Hmm, a somewhat similar code in buildkit do not have path.Clean()
:
https://github.com/moby/buildkit/blob/master/util/rootless/specconv/specconv_linux.go#L28-L29
So I'm not sure whether it is needed here.
2ce0056
to
7b15fc8
Compare
7b15fc8
to
a48f086
Compare
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Fix moby#41457 related: https://github.com/containers/podman/blob/v3.0.0-rc1/pkg/specgen/generate/oci.go#L248-L257 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
a48f086
to
227687f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM
@cpuguy83 ptal |
@@ -38,7 +27,7 @@ func testRunWithCgroupNs(t *testing.T, daemonNsMode string, containerOpts ...fun | |||
poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond)) | |||
|
|||
daemonCgroup := d.CgroupNamespace(t) | |||
containerCgroup := containerCgroupNamespace(ctx, t, client, cID) | |||
containerCgroup := container.GetContainerNS(ctx, t, client, cID, "cgroup") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changes the code from reading /proc/1/ns/cgroup
to /proc/self/ns/cgroup
but the end result should be the same, so no issue here (just noticing).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I know.
if err != nil { | ||
return false, err | ||
} | ||
return pidNS == selfPidNS, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A little bit faster way would be to run stat on both paths and return (st1.Dev == st2.Dev) && (st1.Ino == st2.Ino), nil
. Comparing symlinks is OK, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Mergeable? @kolyshkin @thaJeztah |
I see two LGTMs, so merging |
The `docker/bash.sh` script should omit the `--pid=host` argument and `docker/with_the_same_user` arguments when the host's docker daemon is running in [rootless mode](https://docs.docker.com/engine/security/rootless/). The `with_the_same_user` script is unnecessary in this mode, as rootless docker daemons already use the privileges of the user. The `--pid=host` flag is required when running in CI, and while it may be useful when running tests locally, it is only supported for rootless docker in versions docker versions 22.06 or greater ([requires this commit](moby/moby#41893)).
The `docker/bash.sh` script should omit the `--pid=host` argument and `docker/with_the_same_user` arguments when the host's docker daemon is running in [rootless mode](https://docs.docker.com/engine/security/rootless/). The `with_the_same_user` script is unnecessary in this mode, as rootless docker daemons already use the privileges of the user. The `--pid=host` flag is required when running in CI, and while it may be useful when running tests locally, it is only supported for rootless docker in versions docker versions 22.06 or greater ([requires this commit](moby/moby#41893)).
- What I did
rootless: support --pid=host
Fix #41457
Also port
TestRunModePIDHost
from CLI test to API test- How I did it
By substituting procfs mount with rbind (https://github.com/containers/podman/blob/v3.0.0-rc1/pkg/specgen/generate/oci.go#L248-L257)
- How to verify it
DOCKER_ROOTLESS=1 TEST_SKIP_INTEGRATION_CLI=1 TESTFLAGS='-test.run TestPidHost' make test-integration
- Description for the changelog
rootless: support --pid=host
- A picture of a cute animal (not mandatory but encouraged)
馃惂