"podman play kube" pod shared namespace

[ADIX7]

/kind feature

Add option to yaml used by podman play kube to set shared linux namespaces for pod like --share in podman create pod --share ...

[phlogistonjohn]

As a coincidence I was researching some similar stuff and according to what I read the net & ipc namespace should already be shared in a kubernetes style pod. podman generate kube generates shareProcessNamespace: true for me and the application I am working with doesn't start up correctly when the daemons are in different pid namespaces so it appears to be working for me. :-)

[mheon]

Concur, I think this is implemented already. We support shareProcessNamespace, both generating and playing. Did you want something more?

[phlogistonjohn]

Actually, I may have spoken too soon as my test is now failing in the way it was when I lacked shared net namespace. So I can say with more confidence that shareProcessNamespace works, but am unsure that net/ipc are shared by default when running "play kube" (as I assume they should be)

[ADIX7]

Oh, I haven't found any blog post nor any test in podman github repo about shareProcessNamespace :\ It does indeed work.

On the other hand, as @phlogistonjohn pointed out if you specify shareProcessNamespace the other namespaces won't be shared. I did a little test.

I created a pod and a container. (Note that --share cgroup,ipc,net,uts is the default so I effectively added pid beside the defaults)

podman pod create -n testpod1 --share cgroup,ipc,net,uts,pid
podman create --pod testpod1 --name nginx nginx

Inspecting it (podman pod inspect testpod1) I got:

{                                                                      
     "Id": "7662c8c39af269ff71f0a79216bf4e9884cd3e924e9734721df1f1cc962bcc71",
     "Name": "testpod1",                                               
     "Created": "2021-01-28T08:19:19.227768003+01:00",                 
     "CreateCommand": [                                                
          "podman",                                                    
          "pod",                                                       
          "create",                                                    
          "-n",                                                        
          "testpod1",                                                  
          "--share",                                                                                                                          
          "cgroup,ipc,net,uts,pid"                                     
     ],                                                                
     "State": "Created",                                               
     "Hostname": "testpod1",                                           
     "CreateCgroup": true,                                             
     "CgroupParent": "/libpod_parent",                                 
     "CgroupPath": "/libpod_parent/7662c8c39af269ff71f0a79216bf4e9884cd3e924e9734721df1f1cc962bcc71",
     "CreateInfra": true,                                              
     "InfraContainerID": "9d5035e7ec98fb4bb82bfb263d836e42f8f559529cf96c06ad1d66c7cadf3d12",
     "InfraConfig": {                                                  
          "PortBindings": {                                            
                                                                       
          },                                                           
          "HostNetwork": false,                                        
          "StaticIP": "",                                              
          "StaticMAC": "",                                             
          "NoManageResolvConf": false,
          "DNSServer": null,                                           
          "DNSSearch": null,                                           
          "DNSOption": null,                                           
          "NoManageHosts": false,                                      
          "HostAdd": null,                                             
          "Networks": null,                                            
          "NetworkOptions": null                                       
     },                                                                
     "SharedNamespaces": [                                             
          "pid",                                                       
          "ipc",                                                       
          "net",                                                       
          "uts"                                                        
     ],                                                                
     "NumContainers": 2,                                               
     "Containers": [                                                   
          {                                                            
               "Id": "25b10ad719511828c6918406959f3abb411ced9947dedcc8a2ed2c6e33145f86",
               "Name": "nginx",                                        
               "State": "configured"
          },                                                           
          {                                                            
               "Id": "9d5035e7ec98fb4bb82bfb263d836e42f8f559529cf96c06ad1d66c7cadf3d12",
               "Name": "7662c8c39af2-infra",
               "State": "configured"
          }                                                            
     ]                                                                 
}

After this I generated a yaml file (podman generate kube testpod1 > pod_playkube.yaml) deleted the pod and replayed the yaml (podman play kube pod_playkube.yaml). Inspecting it again:

{
     "Id": "c151c88a890b0012489c448c25dec81ec9dd23aced2a3a792b83aaeeac769bdf",
     "Name": "testpod1",
     "Created": "2021-01-28T08:32:51.318015594+01:00",
     "State": "Running",
     "Hostname": "testpod1",
     "Labels": {
          "app": "testpod1"
     },
     "CreateCgroup": true,
     "CgroupParent": "/libpod_parent",
     "CgroupPath": "/libpod_parent/c151c88a890b0012489c448c25dec81ec9dd23aced2a3a792b83aaeeac769bdf",
     "CreateInfra": true,
     "InfraContainerID": "f94d2b5ad847db64986ef290d315efcef9307b2c16a46c24cae6731ca3a8340f",
     "InfraConfig": {
          "PortBindings": {
               
          },
          "HostNetwork": false,
          "StaticIP": "",
          "StaticMAC": "",
          "NoManageResolvConf": false,
          "DNSServer": null,
          "DNSSearch": null,
          "DNSOption": null,
          "NoManageHosts": false,
          "HostAdd": null,
          "Networks": null,
          "NetworkOptions": null
     },
     "SharedNamespaces": [
          "pid"
     ],
     "NumContainers": 2,
     "Containers": [
          {
               "Id": "883a1be3c1a36b8f7878e9869c606ace4eaf5bb8f1da99c093ce718464ce33f8",
               "Name": "testpod1-nginx",
               "State": "running"
          },
          {
               "Id": "f94d2b5ad847db64986ef290d315efcef9307b2c16a46c24cae6731ca3a8340f",
               "Name": "c151c88a890b-infra",
               "State": "running"
          }
     ]
}

As you can see after the replay only the pid namespace is shared, the default ipc, net and uts are not.

[mheon]

OK, that's a pretty serious bug.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[phlogistonjohn]

The stale bot above got me to peek at this again and I noticed that it's tagged as a feature but sounds more like a bug, as @mheon notes above. Perhaps this should be retagged?

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[flouthoc]

@mheon @rhatdan Following issue persists in latest build as well. I believe this should fix stuff #10268

[flouthoc]

@rhatdan @mheon Could we close this please this has been fixed in lastest build via #10268

[bogdando]

Is there an option to use pre-created (unshared) cgroup,ipc,net,uts,pid etc namespaces to call an equivalent of podman pod create -n testpod1 --share cgroup,ipc,net,uts,pid but via podman-py?

[rhatdan]

Better off asking that question at podman-py, I don't know.