Skip to content

Commit

Permalink
Merge pull request #24039 from Luap99/v5.2-rhel
Browse files Browse the repository at this point in the history
[v5.2-rhel] Fix netns mounting with userns
  • Loading branch information
openshift-merge-bot[bot] authored Sep 23, 2024
2 parents c10f007 + 74ef32a commit 5f2c188
Show file tree
Hide file tree
Showing 7 changed files with 142 additions and 70 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/checkpoint-restore/go-criu/v7 v7.1.0
github.com/containernetworking/plugins v1.5.1
github.com/containers/buildah v1.37.2
github.com/containers/common v0.60.2
github.com/containers/common v0.60.3
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/gvisor-tap-vsock v0.7.4
github.com/containers/image/v5 v5.32.2
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
github.com/containers/buildah v1.37.2 h1:KiJ3jVNUvdtGORxDz8fjjLkR81ZHQZIfnGWJWavks40=
github.com/containers/buildah v1.37.2/go.mod h1:alFCM3X0xfhE6ZjsFQkUlOMyKzOnbv9FL9fe1Ho48PA=
github.com/containers/common v0.60.2 h1:utcwp2YkO8c0mNlwRxsxfOiqfj157FRrBjxgjR6f+7o=
github.com/containers/common v0.60.2/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
github.com/containers/common v0.60.3 h1:pToT7gtFx/KWyMtWw98g4pIbW54i9KfGH2QrdN2s1io=
github.com/containers/common v0.60.3/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/gvisor-tap-vsock v0.7.4 h1:iOtr/KEi+r599OOx1+9Qbss91jD5yxh1HO35MKTdths=
Expand Down
29 changes: 1 addition & 28 deletions libpod/networking_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,8 @@
package libpod

import (
"crypto/rand"
"fmt"
"net"
"os"
"path/filepath"

"github.com/containernetworking/plugins/pkg/ns"
"github.com/containers/common/libnetwork/types"
Expand All @@ -17,7 +14,6 @@ import (
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"github.com/vishvananda/netlink"
"golang.org/x/sys/unix"
)

// Create and configure a new network namespace for a container
Expand Down Expand Up @@ -104,33 +100,10 @@ func (r *Runtime) createNetNS(ctr *Container) (n string, q map[string]types.Stat
// Configure the network namespace using the container process
func (r *Runtime) setupNetNS(ctr *Container) error {
nsProcess := fmt.Sprintf("/proc/%d/ns/net", ctr.state.PID)

b := make([]byte, 16)

if _, err := rand.Reader.Read(b); err != nil {
return fmt.Errorf("failed to generate random netns name: %w", err)
}
nsPath, err := netns.GetNSRunDir()
if err != nil {
return err
}
nsPath = filepath.Join(nsPath, fmt.Sprintf("netns-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]))

if err := os.MkdirAll(filepath.Dir(nsPath), 0711); err != nil {
return err
}

mountPointFd, err := os.Create(nsPath)
nsPath, err := netns.NewNSFrom(nsProcess)
if err != nil {
return err
}
if err := mountPointFd.Close(); err != nil {
return err
}

if err := unix.Mount(nsProcess, nsPath, "none", unix.MS_BIND, ""); err != nil {
return fmt.Errorf("cannot mount %s: %w", nsPath, err)
}

networkStatus, err := r.configureNetNS(ctr, nsPath)

Expand Down
19 changes: 19 additions & 0 deletions test/system/550-pause-process.bats
Original file line number Diff line number Diff line change
Expand Up @@ -149,3 +149,22 @@ function _check_pause_process() {

run_podman rm -f -t0 $cname1
}

# regression test for https://issues.redhat.com/browse/RHEL-59620
@test "rootless userns can unmount netns properly" {
skip_if_not_rootless "pause process is only used as rootless"
skip_if_remote "system migrate not supported via remote"

# Use podman system migrate to stop the currently running pause process
run_podman system migrate

# First run a container with a custom userns as this uses different netns setup logic.
local cname=c-$(safename)
run_podman run --userns keep-id --name $cname -d $IMAGE sleep 100

# Now run a "normal" container without userns
run_podman run --rm $IMAGE true

# This used to hang trying to unmount the netns.
run_podman rm -f -t0 $cname
}
154 changes: 117 additions & 37 deletions vendor/github.com/containers/common/pkg/netns/netns_linux.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/github.com/containers/common/version/version.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/pkg/volumes
github.com/containers/buildah/util
# github.com/containers/common v0.60.2
# github.com/containers/common v0.60.3
## explicit; go 1.21.0
github.com/containers/common/internal
github.com/containers/common/internal/attributedstring
Expand Down

0 comments on commit 5f2c188

Please sign in to comment.