pkg/container: take container namespace configuration

haircommander · haircommander · commit 1fa69c707688 · 2021-12-14T12:59:24.000-05:00
Signed-off-by: Peter Hunt &lt;pehunt@redhat.com&gt;
diff --git a/pkg/container/container.go b/pkg/container/container.go
@@ -102,6 +102,9 @@ type Container interface {
 	// given the image information and passed-in container config
 	SpecSetProcessArgs(imageOCIConfig *v1.Image) error
 
+	// SpecAddNamespaces sets the container's namespaces.
+	SpecAddNamespaces(sb *sandbox.Sandbox) error
+
 	// WillRunSystemd checks whether the process args
 	// are configured to be run as a systemd instance.
 	WillRunSystemd() bool
@@ -260,20 +263,20 @@ func (c *container) Spec() *generate.Generator {
 }
 
 // SetConfig sets the configuration to the container and validates it
-func (c *container) SetConfig(config *types.ContainerConfig, sboxConfig *types.PodSandboxConfig) error {
+func (c *container) SetConfig(cfg *types.ContainerConfig, sboxConfig *types.PodSandboxConfig) error {
 	if c.config != nil {
 		return errors.New("config already set")
 	}
 
-	if config == nil {
+	if cfg == nil {
 		return errors.New("config is nil")
 	}
 
-	if config.Metadata == nil {
+	if cfg.Metadata == nil {
 		return errors.New("metadata is nil")
 	}
 
-	if config.Metadata.Name == "" {
+	if cfg.Metadata.Name == "" {
 		return errors.New("name is nil")
 	}
 
@@ -285,7 +288,7 @@ func (c *container) SetConfig(config *types.ContainerConfig, sboxConfig *types.P
 		return errors.New("sandbox config is already set")
 	}
 
-	c.config = config
+	c.config = cfg
 	c.sboxConfig = sboxConfig
 	return nil
 }
diff --git a/pkg/container/namespaces.go b/pkg/container/namespaces.go
@@ -0,0 +1,72 @@
+package container
+
+import (
+	"github.com/cri-o/cri-o/internal/config/nsmgr"
+	"github.com/cri-o/cri-o/internal/lib/sandbox"
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/pkg/errors"
+	types "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+func (c *container) SpecAddNamespaces(sb *sandbox.Sandbox) error {
+	// Join the namespace paths for the pod sandbox container.
+	if err := ConfigureGeneratorGivenNamespacePaths(sb.NamespacePaths(), &c.spec); err != nil {
+		return errors.Wrap(err, "failed to configure namespaces in container create")
+	}
+
+	sc := c.config.Linux.SecurityContext
+
+	if sc.NamespaceOptions.Network == types.NamespaceMode_NODE {
+		if err := c.spec.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil {
+			return err
+		}
+	}
+
+	switch sc.NamespaceOptions.Pid {
+	case types.NamespaceMode_NODE:
+		// kubernetes PodSpec specify to use Host PID namespace
+		if err := c.spec.RemoveLinuxNamespace(string(rspec.PIDNamespace)); err != nil {
+			return err
+		}
+	case types.NamespaceMode_POD:
+		pidNsPath := sb.PidNsPath()
+		if pidNsPath == "" {
+			if sb.NamespaceOptions().Pid != types.NamespaceMode_POD {
+				return errors.New("Pod level PID namespace requested for the container, but pod sandbox was not similarly configured, and does not have an infra container")
+			}
+			return errors.New("PID namespace requested, but sandbox infra container unexpectedly invalid")
+		}
+
+		if err := c.spec.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {
+			return errors.Wrapf(err, "updating container PID namespace to pod")
+		}
+	}
+	return nil
+}
+
+// ConfigureGeneratorGivenNamespacePaths takes a map of nsType -> nsPath. It configures the generator
+// to add or replace the defaults to these paths
+func ConfigureGeneratorGivenNamespacePaths(managedNamespaces []*sandbox.ManagedNamespace, g *generate.Generator) error {
+	typeToSpec := map[nsmgr.NSType]rspec.LinuxNamespaceType{
+		nsmgr.IPCNS:  rspec.IPCNamespace,
+		nsmgr.NETNS:  rspec.NetworkNamespace,
+		nsmgr.UTSNS:  rspec.UTSNamespace,
+		nsmgr.USERNS: rspec.UserNamespace,
+	}
+
+	for _, ns := range managedNamespaces {
+		// allow for empty paths, as this namespace just shouldn't be configured
+		if ns.Path() == "" {
+			continue
+		}
+		nsForSpec := typeToSpec[ns.Type()]
+		if nsForSpec == "" {
+			return errors.Errorf("Invalid namespace type %s", ns.Type())
+		}
+		if err := g.AddOrReplaceLinuxNamespace(string(nsForSpec), ns.Path()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/pkg/container/namespaces_test.go b/pkg/container/namespaces_test.go
@@ -0,0 +1,197 @@
+package container_test
+
+import (
+	"os"
+
+	"github.com/cri-o/cri-o/internal/config/nsmgr"
+	nsmgrtest "github.com/cri-o/cri-o/internal/config/nsmgr/test"
+	"github.com/cri-o/cri-o/internal/lib/sandbox"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	types "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+var _ = t.Describe("Container:SpecAddNamespaces", func() {
+	It("should inherit pod namespaces", func() {
+		// Given
+		config := &types.ContainerConfig{
+			Metadata: &types.ContainerMetadata{Name: "name"},
+			Linux: &types.LinuxContainerConfig{
+				SecurityContext: &types.LinuxContainerSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_POD,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_CONTAINER,
+					},
+				},
+			},
+		}
+
+		sboxConfig := &types.PodSandboxConfig{}
+		sb := &sandbox.Sandbox{}
+		sb.AddManagedNamespaces(nsmgrtest.AllSpoofedNamespaces)
+		sut.Spec().ClearLinuxNamespaces()
+
+		// When
+		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
+		Expect(sut.SpecAddNamespaces(sb)).To(BeNil())
+
+		// Then
+		spec := sut.Spec()
+		Expect(len(spec.Config.Linux.Namespaces)).To(Equal(len(nsmgrtest.AllSpoofedNamespaces)))
+		for _, ns := range nsmgrtest.AllSpoofedNamespaces {
+			found := false
+			for _, specNs := range spec.Config.Linux.Namespaces {
+				if specNs.Path == ns.Path() {
+					found = true
+				}
+			}
+			Expect(found).To(Equal(true))
+		}
+	})
+	It("should drop network if hostNet", func() {
+		// Given
+		config := &types.ContainerConfig{
+			Metadata: &types.ContainerMetadata{Name: "name"},
+			Linux: &types.LinuxContainerConfig{
+				SecurityContext: &types.LinuxContainerSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_NODE,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_CONTAINER,
+					},
+				},
+			},
+		}
+
+		sboxConfig := &types.PodSandboxConfig{}
+		sb := &sandbox.Sandbox{}
+		sb.AddManagedNamespaces(nsmgrtest.AllSpoofedNamespaces)
+
+		// When
+		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
+		sut.Spec().ClearLinuxNamespaces()
+		Expect(sut.SpecAddNamespaces(sb)).To(BeNil())
+
+		// Then
+		spec := sut.Spec()
+		Expect(len(spec.Config.Linux.Namespaces)).To(Equal(len(nsmgrtest.AllSpoofedNamespaces) - 1))
+
+		for _, specNs := range spec.Config.Linux.Namespaces {
+			Expect(specNs.Type).NotTo(Equal(rspec.NetworkNamespace))
+		}
+	})
+	It("should drop PID if hostPID", func() {
+		// Given
+		config := &types.ContainerConfig{
+			Metadata: &types.ContainerMetadata{Name: "name"},
+			Linux: &types.LinuxContainerConfig{
+				SecurityContext: &types.LinuxContainerSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_POD,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_NODE,
+					},
+				},
+			},
+		}
+
+		sboxConfig := &types.PodSandboxConfig{}
+		sb := &sandbox.Sandbox{}
+		sb.AddManagedNamespaces(nsmgrtest.AllSpoofedNamespaces)
+
+		// When
+		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
+		sut.Spec().ClearLinuxNamespaces()
+		Expect(sut.SpecAddNamespaces(sb)).To(BeNil())
+
+		// Then
+		spec := sut.Spec()
+		Expect(len(spec.Config.Linux.Namespaces)).To(Equal(len(nsmgrtest.AllSpoofedNamespaces)))
+
+		for _, specNs := range spec.Config.Linux.Namespaces {
+			Expect(specNs.Type).NotTo(Equal(rspec.PIDNamespace))
+		}
+	})
+	It("should use pod PID", func() {
+		// Given
+		config := &types.ContainerConfig{
+			Metadata: &types.ContainerMetadata{Name: "name"},
+			Linux: &types.LinuxContainerConfig{
+				SecurityContext: &types.LinuxContainerSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_POD,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_POD,
+					},
+				},
+			},
+		}
+
+		sboxConfig := &types.PodSandboxConfig{
+			Linux: &types.LinuxPodSandboxConfig{
+				SecurityContext: &types.LinuxSandboxSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_POD,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_POD,
+					},
+				},
+			},
+		}
+		sb := &sandbox.Sandbox{}
+		infra, err := nsmgrtest.ContainerWithPid(os.Getpid())
+		Expect(err).To(BeNil())
+		Expect(sb.SetInfraContainer(infra)).To(BeNil())
+		sb.AddManagedNamespaces(nsmgrtest.AllSpoofedNamespaces)
+
+		// When
+		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
+		sut.Spec().ClearLinuxNamespaces()
+		Expect(sut.SpecAddNamespaces(sb)).To(BeNil())
+
+		// Then
+		spec := sut.Spec()
+		Expect(len(spec.Config.Linux.Namespaces)).To(Equal(len(nsmgrtest.AllSpoofedNamespaces) + 1))
+
+		found := false
+		for _, specNs := range spec.Config.Linux.Namespaces {
+			if specNs.Type == rspec.PIDNamespace {
+				found = true
+			}
+		}
+		Expect(found).To(Equal(true))
+	})
+	It("should ignore if empty", func() {
+		// Given
+		config := &types.ContainerConfig{
+			Metadata: &types.ContainerMetadata{Name: "name"},
+			Linux: &types.LinuxContainerConfig{
+				SecurityContext: &types.LinuxContainerSecurityContext{
+					NamespaceOptions: &types.NamespaceOption{
+						Network: types.NamespaceMode_POD,
+						Ipc:     types.NamespaceMode_POD,
+						Pid:     types.NamespaceMode_CONTAINER,
+					},
+				},
+			},
+		}
+
+		sboxConfig := &types.PodSandboxConfig{}
+		sb := &sandbox.Sandbox{}
+		sb.AddManagedNamespaces([]nsmgr.Namespace{&nsmgrtest.SpoofedNamespace{
+			NsType:    nsmgr.IPCNS,
+			EmptyPath: true,
+		}})
+
+		// When
+		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
+		sut.Spec().ClearLinuxNamespaces()
+		Expect(sut.SpecAddNamespaces(sb)).To(BeNil())
+
+		// Then
+		spec := sut.Spec()
+		Expect(len(spec.Config.Linux.Namespaces)).To(Equal(0))
+	})
+})
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -482,36 +482,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 		return nil, err
 	}
 
-	// Join the namespace paths for the pod sandbox container.
-	if err := configureGeneratorGivenNamespacePaths(sb.NamespacePaths(), specgen); err != nil {
-		return nil, errors.Wrap(err, "failed to configure namespaces in container create")
-	}
-
-	if securityContext.NamespaceOptions.Pid == types.NamespaceMode_NODE {
-		// kubernetes PodSpec specify to use Host PID namespace
-		if err := specgen.RemoveLinuxNamespace(string(rspec.PIDNamespace)); err != nil {
-			return nil, err
-		}
-	} else if securityContext.NamespaceOptions.Pid == types.NamespaceMode_POD {
-		pidNsPath := sb.PidNsPath()
-		if pidNsPath == "" {
-			if sb.NamespaceOptions().Pid != types.NamespaceMode_POD {
-				return nil, errors.New("Pod level PID namespace requested for the container, but pod sandbox was not similarly configured, and does not have an infra container")
-			}
-			return nil, errors.New("PID namespace requested, but sandbox infra container unexpectedly invalid")
-		}
-
-		if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.PIDNamespace), pidNsPath); err != nil {
-			return nil, err
-		}
+	if err := ctr.SpecAddNamespaces(sb); err != nil {
+		return nil, err
 	}
 
 	// If the sandbox is configured to run in the host network, do not create a new network namespace
 	if hostNet {
-		if err := specgen.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil {
-			return nil, err
-		}
-
 		if !isInCRIMounts("/sys", containerConfig.Mounts) {
 			ctr.SpecAddMount(rspec.Mount{
 				Destination: "/sys",
diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go
@@ -25,6 +25,7 @@ import (
 	"github.com/cri-o/cri-o/internal/resourcestore"
 	ann "github.com/cri-o/cri-o/pkg/annotations"
 	libconfig "github.com/cri-o/cri-o/pkg/config"
+	ctrIface "github.com/cri-o/cri-o/pkg/container"
 	"github.com/cri-o/cri-o/pkg/sandbox"
 	"github.com/cri-o/cri-o/utils"
 	json "github.com/json-iterator/go"
@@ -1073,36 +1074,9 @@ func (s *Server) configureGeneratorForSandboxNamespaces(hostNetwork, hostIPC, ho
 
 	cleanupFuncs = append(cleanupFuncs, sb.RemoveManagedNamespaces)
 
-	if err := configureGeneratorGivenNamespacePaths(sb.NamespacePaths(), g); err != nil {
+	if err := ctrIface.ConfigureGeneratorGivenNamespacePaths(sb.NamespacePaths(), g); err != nil {
 		return cleanupFuncs, err
 	}
 
 	return cleanupFuncs, nil
 }
-
-// configureGeneratorGivenNamespacePaths takes a map of nsType -> nsPath. It configures the generator
-// to add or replace the defaults to these paths
-func configureGeneratorGivenNamespacePaths(managedNamespaces []*libsandbox.ManagedNamespace, g *generate.Generator) error {
-	typeToSpec := map[nsmgr.NSType]spec.LinuxNamespaceType{
-		nsmgr.IPCNS:  spec.IPCNamespace,
-		nsmgr.NETNS:  spec.NetworkNamespace,
-		nsmgr.UTSNS:  spec.UTSNamespace,
-		nsmgr.USERNS: spec.UserNamespace,
-	}
-
-	for _, ns := range managedNamespaces {
-		// allow for empty paths, as this namespace just shouldn't be configured
-		if ns.Path() == "" {
-			continue
-		}
-		nsForSpec := typeToSpec[ns.Type()]
-		if nsForSpec == "" {
-			return errors.Errorf("Invalid namespace type %s", nsForSpec)
-		}
-		err := g.AddOrReplaceLinuxNamespace(string(nsForSpec), ns.Path())
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,9 @@ type Container interface {`
`102`	`102`	`// given the image information and passed-in container config`
`103`	`103`	`SpecSetProcessArgs(imageOCIConfig *v1.Image) error`
`104`	`104`
	`105`	`+ // SpecAddNamespaces sets the container's namespaces.`
	`106`	`+ SpecAddNamespaces(sb *sandbox.Sandbox) error`
	`107`	`+`
`105`	`108`	`// WillRunSystemd checks whether the process args`
`106`	`109`	`// are configured to be run as a systemd instance.`
`107`	`110`	`WillRunSystemd() bool`
`@@ -260,20 +263,20 @@ func (c container) Spec() generate.Generator {`
`260`	`263`	`}`
`261`	`264`
`262`	`265`	`// SetConfig sets the configuration to the container and validates it`
`263`		`-func (c container) SetConfig(config types.ContainerConfig, sboxConfig *types.PodSandboxConfig) error {`
	`266`	`+func (c container) SetConfig(cfg types.ContainerConfig, sboxConfig *types.PodSandboxConfig) error {`
`264`	`267`	`if c.config != nil {`
`265`	`268`	`return errors.New("config already set")`
`266`	`269`	`}`
`267`	`270`
`268`		`- if config == nil {`
	`271`	`+ if cfg == nil {`
`269`	`272`	`return errors.New("config is nil")`
`270`	`273`	`}`
`271`	`274`
`272`		`- if config.Metadata == nil {`
	`275`	`+ if cfg.Metadata == nil {`
`273`	`276`	`return errors.New("metadata is nil")`
`274`	`277`	`}`
`275`	`278`
`276`		`- if config.Metadata.Name == "" {`
	`279`	`+ if cfg.Metadata.Name == "" {`
`277`	`280`	`return errors.New("name is nil")`
`278`	`281`	`}`
`279`	`282`
`@@ -285,7 +288,7 @@ func (c container) SetConfig(config types.ContainerConfig, sboxConfig *types.P`
`285`	`288`	`return errors.New("sandbox config is already set")`
`286`	`289`	`}`
`287`	`290`
`288`		`- c.config = config`
	`291`	`+ c.config = cfg`
`289`	`292`	`c.sboxConfig = sboxConfig`
`290`	`293`	`return nil`
`291`	`294`	`}`