WithNamespaces sets the container's namespaces
(daemon *Daemon, c *container.Container)
| 226 | |
| 227 | // WithNamespaces sets the container's namespaces |
| 228 | func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts { |
| 229 | return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { |
| 230 | userNS := false |
| 231 | // user |
| 232 | if c.HostConfig.UsernsMode.IsPrivate() { |
| 233 | if uidMap := daemon.idMapping.UIDMaps; uidMap != nil { |
| 234 | userNS = true |
| 235 | setNamespace(s, specs.LinuxNamespace{ |
| 236 | Type: specs.UserNamespace, |
| 237 | }) |
| 238 | s.Linux.UIDMappings = specMapping(uidMap) |
| 239 | s.Linux.GIDMappings = specMapping(daemon.idMapping.GIDMaps) |
| 240 | } |
| 241 | } |
| 242 | // network |
| 243 | if !c.Config.NetworkDisabled { |
| 244 | networkMode := c.HostConfig.NetworkMode |
| 245 | switch { |
| 246 | case networkMode.IsContainer(): |
| 247 | nc, err := daemon.getNetworkedContainer(c.ID, networkMode.ConnectedContainer()) |
| 248 | if err != nil { |
| 249 | return err |
| 250 | } |
| 251 | setNamespace(s, specs.LinuxNamespace{ |
| 252 | Type: specs.NetworkNamespace, |
| 253 | Path: fmt.Sprintf("/proc/%d/ns/net", nc.State.GetPID()), |
| 254 | }) |
| 255 | if userNS { |
| 256 | // to share a net namespace, the containers must also share a user namespace. |
| 257 | // |
| 258 | // FIXME(thaJeztah): this will silently overwrite an earlier user namespace when joining multiple containers: https://github.com/moby/moby/issues/46210 |
| 259 | setNamespace(s, specs.LinuxNamespace{ |
| 260 | Type: specs.UserNamespace, |
| 261 | Path: fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID()), |
| 262 | }) |
| 263 | } |
| 264 | case networkMode.IsHost(): |
| 265 | oci.RemoveNamespace(s, specs.NetworkNamespace) |
| 266 | default: |
| 267 | setNamespace(s, specs.LinuxNamespace{ |
| 268 | Type: specs.NetworkNamespace, |
| 269 | }) |
| 270 | } |
| 271 | } |
| 272 | |
| 273 | // Remove time-namespace if not supported. We can remove this once we |
| 274 | // drop support for kernel < 5.6. |
| 275 | sysInfo, err := daemon.RawSysInfo() |
| 276 | if err != nil { |
| 277 | return errdefs.System(err) |
| 278 | } |
| 279 | if !sysInfo.TimeNamespaces { |
| 280 | oci.RemoveNamespace(s, specs.TimeNamespace) |
| 281 | } |
| 282 | |
| 283 | // ipc |
| 284 | ipcMode := c.HostConfig.IpcMode |
| 285 | if !ipcMode.Valid() { |
no test coverage detected
searching dependent graphs…