-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix problem copying files when container is in host pid namespace #10327
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we join the pidns to not break /proc
?
LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
||
func (c *Container) hostPidNS() (bool, error) { | ||
if c.config.PIDNsCtr != "" { | ||
return false, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically, we could go further here, and call hostPidNS() on that container - it could potentially be a pid=host container that we joined the namespace of?
I don't know if this is particularly valuable though.
@rhatdan changes LGTM, but it appears you've a gofmt error somewhere. |
9100e57
to
e41a359
Compare
libpod/container_inspect.go
Outdated
@@ -890,3 +890,25 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named | |||
|
|||
return hostConfig, nil | |||
} | |||
|
|||
func (c *Container) hostPidNS() (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read hostPidNS()
like it's returning the host's PID NS.
func (c *Container) hostPidNS() (bool, error) { | |
// Return true if the container is running in the host's PID NS. | |
func (c *Container) inHostPidNS() (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Still fighting with the test system on this one @rhatdan |
@@ -91,6 +91,49 @@ var _ = Describe("Podman cp", func() { | |||
Expect(roundtripContent).To(Equal(originalContent)) | |||
}) | |||
|
|||
// Copy a file to the container, then back to the host in --pid=host | |||
It("podman cp --pid=host file", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make ubuntu happy.
It("podman cp --pid=host file", func() { | |
It("podman cp --pid=host file", func() { | |
SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") |
When attempting to copy files into and out of running containers within the host pidnamespace, the code was attempting to join the host pidns again, and getting an error. This was causing the podman cp command to fail. Since we are already in the host pid namespace, we should not be attempting to join. This PR adds a check to see if the container is in NOT host pid namespace, and only then attempts to join. Fixes: containers#9985 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When attempting to copy files into and out of running containers
within the host pidnamespace, the code was attempting to join the
host pidns again, and getting an error. This was causing the podman
cp command to fail. Since we are already in the host pid namespace,
we should not be attempting to join. This PR adds a check to see if
the container is in NOT host pid namespace, and only then attempts to
join.
Fixes: #9985
Signed-off-by: Daniel J Walsh dwalsh@redhat.com