Bind missing namespaces to host

We now bind all namespaces, independently if unshared or not. If a namespace is not being unshared, then we fallback to the host. Signed-off-by: Sascha Grunert <[email protected]>
containers · Jan 31, 2023 · 511228e · 511228e
1 parent ad9b838
commit 511228e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 19 deletions.
diff --git a/conmon-rs/server/src/pause.rs b/conmon-rs/server/src/pause.rs
@@ -19,7 +19,7 @@ use std::{
     path::{Path, PathBuf},
     process::{exit, Command},
 };
-use strum::{AsRefStr, Display, EnumIter, EnumString, IntoStaticStr};
+use strum::{AsRefStr, Display, EnumIter, EnumString, IntoEnumIterator, IntoStaticStr};
 use tracing::{debug, error, info};
 use uuid::Uuid;
 
@@ -165,7 +165,7 @@ impl Pause {
 
         Ok(Self {
             path,
-            namespaces,
+            namespaces: Namespace::iter().collect(),
             pid: Pid::from_raw(pid as pid_t),
         })
     }
@@ -182,30 +182,24 @@ impl Pause {
         uid_mappings: &[String],
         gid_mappings: &[String],
     ) -> Result<()> {
-        let mut namespaces = vec![];
         let mut flags = CloneFlags::empty();
         if ipc {
             flags.insert(CloneFlags::CLONE_NEWIPC);
-            namespaces.push(Namespace::Ipc);
         }
         if pid {
             flags.insert(CloneFlags::CLONE_NEWPID);
-            namespaces.push(Namespace::Pid);
         }
         if net {
             flags.insert(CloneFlags::CLONE_NEWNET);
-            namespaces.push(Namespace::Net);
         }
         if user {
             // CLONE_NEWNS is intentional here, because we need a new mount namespace for user
             // namespace handling as well. The CLONE_NEWUSER will be done before calling unshare
             // with the rest of the flags.
             flags.insert(CloneFlags::CLONE_NEWNS);
-            namespaces.push(Namespace::User);
         }
         if uts {
             flags.insert(CloneFlags::CLONE_NEWUTS);
-            namespaces.push(Namespace::Uts);
         }
 
         if !user {
@@ -262,7 +256,8 @@ impl Pause {
             _ => (),
         }
 
-        for namespace in namespaces {
+        // We bind all namespaces, if not unshared then we use the host namespace.
+        for namespace in Namespace::iter() {
             namespace.bind(path.as_ref()).context(format!(
                 "bind namespace to path: {}",
                 namespace.path(path).display(),

diff --git a/pkg/client/client_test.go b/pkg/client/client_test.go
@@ -553,19 +553,19 @@ var _ = Describe("ConmonClient", func() {
 			Expect(err).To(BeNil())
 			Expect(response).NotTo(BeNil())
 
-			Expect(len(response.Namespaces)).To(BeEquivalentTo(4))
+			Expect(len(response.Namespaces)).To(BeEquivalentTo(5))
 			Expect(response.Namespaces[0].Type).To(Equal(client.NamespaceIPC))
-			Expect(response.Namespaces[1].Type).To(Equal(client.NamespaceNet))
-			Expect(response.Namespaces[2].Type).To(Equal(client.NamespacePID))
-			Expect(response.Namespaces[3].Type).To(Equal(client.NamespaceUTS))
+			Expect(response.Namespaces[1].Type).To(Equal(client.NamespacePID))
+			Expect(response.Namespaces[2].Type).To(Equal(client.NamespaceNet))
+			Expect(response.Namespaces[3].Type).To(Equal(client.NamespaceUser))
+			Expect(response.Namespaces[4].Type).To(Equal(client.NamespaceUTS))
 
 			for _, ns := range response.Namespaces {
 				stat, err := os.Lstat(ns.Path)
 				Expect(err).To(BeNil())
 				Expect(stat.IsDir()).To(BeFalse())
 				Expect(stat.Size()).To(BeZero())
 				Expect(stat.Mode()).To(Equal(fs.FileMode(0o444)))
-				Expect(len(stat.Name())).To(BeEquivalentTo(3))
 			}
 		})
 
@@ -594,12 +594,11 @@ var _ = Describe("ConmonClient", func() {
 			Expect(response).NotTo(BeNil())
 
 			Expect(len(response.Namespaces)).To(BeEquivalentTo(5))
-
 			Expect(response.Namespaces[0].Type).To(Equal(client.NamespaceIPC))
-			Expect(response.Namespaces[1].Type).To(Equal(client.NamespaceNet))
-			Expect(response.Namespaces[2].Type).To(Equal(client.NamespacePID))
-			Expect(response.Namespaces[3].Type).To(Equal(client.NamespaceUTS))
-			Expect(response.Namespaces[4].Type).To(Equal(client.NamespaceUser))
+			Expect(response.Namespaces[1].Type).To(Equal(client.NamespacePID))
+			Expect(response.Namespaces[2].Type).To(Equal(client.NamespaceNet))
+			Expect(response.Namespaces[3].Type).To(Equal(client.NamespaceUser))
+			Expect(response.Namespaces[4].Type).To(Equal(client.NamespaceUTS))
 
 			for _, ns := range response.Namespaces {
 				stat, err := os.Lstat(ns.Path)