InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

daemon: WithNamespaces(): add notes about user-namespaces

Browse Source 
While working on this code, I noticed that there's currently an issue
with userns enabled. When userns is enabled, joining another container's
namespace must also join its user-namespace.

However, a container can only be in a single user namespace, so if a
container joins namespaces from multiple containers, latter user-namespaces
overwrite former ones.

We must add validation for this, but in the meantime, add notes / todo's.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
2023-08-12 21:37:41 +02:00
parent dd26e6b15e
commit 04422f5ec1
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
daemon/oci_linux.go
View File

@@ -268,6 +268,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
})
if userNS {
// to share a net namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()),
@@ -302,6 +304,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
})
if userNS {
// to share a IPC namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID()),
@@ -336,6 +340,8 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
})
if userNS {
// to share a PID namespace, the containers must also share a user namespace.
//
// FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210
setNamespace(s, specs.LinuxNamespace{
Type: specs.UserNamespace,
Path: fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID()),