Merge pull request #14 from mikemccracken/2019-05-01/handle-namespaces

hallyn · web-flow · commit 05a9543d2cba · 2019-05-03T16:17:44.000-07:00
handle namespaces
diff --git a/cmd/create.go b/cmd/create.go
@@ -9,6 +9,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
@@ -42,6 +43,17 @@ var createCmd = cli.Command{
 	},
 }
 
+// maps from CRIO namespace names to LXC names
+var NamespaceMap = map[string]string{
+	"cgroup":  "cgroup",
+	"ipc":     "ipc",
+	"mount":   "mnt",
+	"network": "net",
+	"pid":     "pid",
+	"user":    "user",
+	"uts":     "uts",
+}
+
 func ensureShell(rootfs string) {
 	shPath := filepath.Join(rootfs, "bin/sh")
 	if exists, _ := pathExists(shPath); exists {
@@ -80,6 +92,49 @@ exec $@
 	return ioutil.WriteFile(file, []byte(fifoWaiter), 0755)
 }
 
+func configureNamespaces(c *lxc.Container, spec *specs.Spec) error {
+	procPidPathRE := regexp.MustCompile(`/proc/(\d+)/ns`)
+
+	var nsToClone []string
+	var configVal string
+	seenNamespaceTypes := map[specs.LinuxNamespaceType]bool{}
+	for _, ns := range spec.Linux.Namespaces {
+		if _, ok := seenNamespaceTypes[ns.Type]; ok == true {
+			return fmt.Errorf("duplicate namespace type %s", ns.Type)
+		}
+		seenNamespaceTypes[ns.Type] = true
+		if ns.Path == "" {
+			nsToClone = append(nsToClone, NamespaceMap[string(ns.Type)])
+		} else {
+			configKey := fmt.Sprintf("lxc.namespace.share.%s", NamespaceMap[string(ns.Type)])
+
+			matches := procPidPathRE.FindStringSubmatch(ns.Path)
+			switch len(matches) {
+			case 0:
+				configVal = ns.Path
+			case 1:
+				return fmt.Errorf("error parsing namespace path. expected /proc/(\\d+)/ns/*, got '%s'", ns.Path)
+			case 2:
+				configVal = matches[1]
+			default:
+				return fmt.Errorf("error parsing namespace path. expected /proc/(\\d+)/ns/*, got '%s'", ns.Path)
+			}
+
+			if err := c.SetConfigItem(configKey, configVal); err != nil {
+				return errors.Wrapf(err, "failed to set namespace config: '%s'='%s'", configKey, configVal)
+			}
+		}
+	}
+
+	if len(nsToClone) > 0 {
+		configVal = strings.Join(nsToClone, " ")
+		if err := c.SetConfigItem("lxc.namespace.clone", configVal); err != nil {
+			return errors.Wrapf(err, "failed to set lxc.namespace.clone=%s", configVal)
+		}
+	}
+	return nil
+}
+
 func doCreate(ctx *cli.Context) error {
 	pidfile := ctx.String("pid-file")
 	containerID := ctx.Args().Get(0)
@@ -202,6 +257,10 @@ func configureContainer(ctx *cli.Context, c *lxc.Container, spec *specs.Spec) er
 		return errors.Wrap(err, "failed to set hook version")
 	}
 
+	if err := configureNamespaces(c, spec); err != nil {
+		return errors.Wrap(err, "failed to configure namespaces")
+	}
+
 	// capabilities?
 
 	// if !spec.Process.Terminal {
diff --git a/test/basic.bats b/test/basic.bats
@@ -15,4 +15,6 @@ function teardown() {
     podid=$(crictl pods | grep nginx-sandbox | awk '{ print $1 }')
     crictl create $podid test/basic-container-config.json test/basic-pod-config.json
     crictl ps -a | grep busybox
+    crictl stopp $podid
+    crictl rmp $podid
 }
diff --git a/test/helpers.bash b/test/helpers.bash
@@ -54,7 +54,7 @@ function crictl {
     # watch out for: https://github.com/kubernetes-sigs/cri-tools/issues/460
     # If you need more debug output, set CRICTLDEBUG to -D
     CRICTLDEBUG=""
-    $(which crictl) $(CRICTLDEBUG) --runtime-endpoint "$TEMP_DIR/crio.sock" $@
+    $(which crictl) ${CRICTLDEBUG} --runtime-endpoint "$TEMP_DIR/crio.sock" $@
     echo "$output"
 }
 
diff --git a/test/manual.bats b/test/manual.bats
@@ -5,13 +5,22 @@ function setup() {
     skopeo --insecure-policy copy docker://alpine:latest oci:$ROOT_DIR/test/oci-cache:alpine
     umoci unpack --image "$ROOT_DIR/test/oci-cache:alpine" "$TEMP_DIR/dest"
     sed -i -e "s?rootfs?$TEMP_DIR/dest/rootfs?" "$TEMP_DIR/dest/config.json"
+    sed -i -e "s?\"/bin/sh\"?\"/bin/sleep\",\n\"10\"?" "$TEMP_DIR/dest/config.json"
+    sed -i -e "s?\"type\": \"ipc\"?\"type\": \"ipc\",\n\"path\": \"/proc/1/ns/ipc\"?" "$TEMP_DIR/dest/config.json"
+
 }
 
 function teardown() {
     cleanup_tempdir
 }
 
 @test "manual invocation" {
-    crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" create --bundle "$TEMP_DIR/dest" alpine
+    crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" create --bundle "$TEMP_DIR/dest" --pid-file "$TEMP_DIR/pid" alpine
     crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" start alpine
+    pid1ipcnsinode=$(stat -L -c%i /proc/1/ns/ipc)
+    mypid=$(<"$TEMP_DIR/pid")
+    mypidipcnsinode=$(stat -L -c%i "/proc/$mypid/ns/ipc")
+    [ $pid1ipcnsinode = $mypidipcnsinode ]
+    crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" kill alpine
+    crio-lxc --debug --log-level trace --log-file "$TEMP_DIR/log" delete alpine
 }

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,6 @@ function teardown() {`
`15`	`15`	`podid=$(crictl pods \| grep nginx-sandbox \| awk '{ print $1 }')`
`16`	`16`	`crictl create $podid test/basic-container-config.json test/basic-pod-config.json`
`17`	`17`	`crictl ps -a \| grep busybox`
	`18`	`+ crictl stopp $podid`
	`19`	`+ crictl rmp $podid`
`18`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ function crictl {`
`54`	`54`	`# watch out for: https://github.com/kubernetes-sigs/cri-tools/issues/460`
`55`	`55`	`# If you need more debug output, set CRICTLDEBUG to -D`
`56`	`56`	`CRICTLDEBUG=""`
`57`		`- $(which crictl) $(CRICTLDEBUG) --runtime-endpoint "$TEMP_DIR/crio.sock" $@`
	`57`	`+ $(which crictl) ${CRICTLDEBUG} --runtime-endpoint "$TEMP_DIR/crio.sock" $@`
`58`	`58`	`echo "$output"`
`59`	`59`	`}`
`60`	`60`