Merge pull request #24024 from Luap99/netns-dir

libpod: setupNetNS() correctly mount netns
containers · Sep 20, 2024 · 2f44b16 · 2f44b16 · packit-as-a-service · Sep 20, 2024
2 parents f7be7a3 + 7927961
commit 2f44b16
Show file tree

Hide file tree

Showing 13 changed files with 358 additions and 106 deletions.
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.5.1
 	github.com/containers/buildah v1.37.0
-	github.com/containers/common v0.60.1-0.20240918122915-db8145750e1d
+	github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.5
 	github.com/containers/image/v5 v5.32.1-0.20240806084436-e3e9287ca8e6

diff --git a/go.sum b/go.sum
@@ -81,8 +81,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
 github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
 github.com/containers/buildah v1.37.0 h1:jvHwu1vIwIqnHyOSg9eef9Apdpry+5oWLrm43gdf8Rk=
 github.com/containers/buildah v1.37.0/go.mod h1:MKd79tkluMf6vtH06SedhBQK5OB7E0pFVIuiTTw3dJk=
-github.com/containers/common v0.60.1-0.20240918122915-db8145750e1d h1:AAEZbfeh92xKohiQoEk6sx+e/8OLIXzIElJ7H69cxVg=
-github.com/containers/common v0.60.1-0.20240918122915-db8145750e1d/go.mod h1:CPKbz94MP7eKS5LdkBZbcDbQgAHncjogq/hYY9r4Spw=
+github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad h1:Ida4yFcnk+xGPynWR267zGGUddWTfpAVMSzo6PhjPFQ=
+github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad/go.mod h1:UjxkwBehRqlASg/duCPlXbsc2hu5y+iYwUt+8/N4w+8=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.5 h1:bTy4u3DOmmUPwurL6me2rsgfypAFDhyeJleUcQmBR/E=

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
@@ -3,11 +3,8 @@
 package libpod
 
 import (
-	"crypto/rand"
 	"fmt"
 	"net"
-	"os"
-	"path/filepath"
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containers/common/libnetwork/types"
@@ -17,7 +14,6 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"golang.org/x/sys/unix"
 )
 
 // Create and configure a new network namespace for a container
@@ -104,33 +100,10 @@ func (r *Runtime) createNetNS(ctr *Container) (n string, q map[string]types.Stat
 // Configure the network namespace using the container process
 func (r *Runtime) setupNetNS(ctr *Container) error {
 	nsProcess := fmt.Sprintf("/proc/%d/ns/net", ctr.state.PID)
-
-	b := make([]byte, 16)
-
-	if _, err := rand.Reader.Read(b); err != nil {
-		return fmt.Errorf("failed to generate random netns name: %w", err)
-	}
-	nsPath, err := netns.GetNSRunDir()
-	if err != nil {
-		return err
-	}
-	nsPath = filepath.Join(nsPath, fmt.Sprintf("netns-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]))
-
-	if err := os.MkdirAll(filepath.Dir(nsPath), 0711); err != nil {
-		return err
-	}
-
-	mountPointFd, err := os.Create(nsPath)
+	nsPath, err := netns.NewNSFrom(nsProcess)
 	if err != nil {
 		return err
 	}
-	if err := mountPointFd.Close(); err != nil {
-		return err
-	}
-
-	if err := unix.Mount(nsProcess, nsPath, "none", unix.MS_BIND, ""); err != nil {
-		return fmt.Errorf("cannot mount %s: %w", nsPath, err)
-	}
 
 	networkStatus, err := r.configureNetNS(ctr, nsPath)
 

diff --git a/test/system/550-pause-process.bats b/test/system/550-pause-process.bats
@@ -149,3 +149,22 @@ function _check_pause_process() {
 
     run_podman rm -f -t0 $cname1
 }
+
+# regression test for https://issues.redhat.com/browse/RHEL-59620
+@test "rootless userns can unmount netns properly" {
+    skip_if_not_rootless "pause process is only used as rootless"
+    skip_if_remote "system migrate not supported via remote"
+
+    # Use podman system migrate to stop the currently running pause process
+    run_podman system migrate
+
+    # First run a container with a custom userns as this uses different netns setup logic.
+    local cname=c-$(safename)
+    run_podman run --userns keep-id --name $cname -d $IMAGE sleep 100
+
+    # Now run a "normal" container without userns
+    run_podman run --rm $IMAGE true
+
+    # This used to hang trying to unmount the netns.
+    run_podman rm -f -t0 $cname
+}
diff --git a/vendor/github.com/containers/common/libimage/copier.go b/vendor/github.com/containers/common/libimage/copier.go
diff --git a/vendor/github.com/containers/common/libimage/import.go b/vendor/github.com/containers/common/libimage/import.go
diff --git a/vendor/github.com/containers/common/libimage/manifest_list.go b/vendor/github.com/containers/common/libimage/manifest_list.go