Add rootless support for cni and --uidmap

This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
2021-02-18 14:53:53 +01:00 · 2021-02-18 14:53:53 +01:00 · 00b2ec5e6f
parent 54b588c07d
commit 00b2ec5e6f
4 changed files with 18 additions and 16 deletions
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -966,9 +966,7 @@ func (c *Container) completeNetworkSetup() error {
 	if err := c.syncContainer(); err != nil {
 		return err
 	}
-	if rootless.IsRootless() {
-		return c.runtime.setupRootlessNetNS(c)
-	} else if c.config.NetMode.IsSlirp4netns() {
+	if c.config.NetMode.IsSlirp4netns() {
 		return c.runtime.setupSlirp4netns(c)
 	}
 	if err := c.runtime.setupNetNS(c); err != nil {
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@ -972,8 +972,11 @@ func (r *Runtime) setupNetNS(ctr *Container) error {
 	if _, err := rand.Reader.Read(b); err != nil {
 		return errors.Wrapf(err, "failed to generate random netns name")
 	}
-
-	nsPath := fmt.Sprintf("/run/netns/cni-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
+	nsPath, err := netns.GetNSRunDir()
+	if err != nil {
+		return err
+	}
+	nsPath = filepath.Join(nsPath, fmt.Sprintf("cni-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]))

 	if err := os.MkdirAll(filepath.Dir(nsPath), 0711); err != nil {
 		return err
--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
@ -236,9 +236,6 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 	case specgen.Private:
 		fallthrough
 	case specgen.Bridge:
-		if postConfigureNetNS && rootless.IsRootless() {
-			return nil, errors.New("CNI networks not supported with user namespaces")
-		}
 		portMappings, err := createPortMappings(ctx, s, img)
 		if err != nil {
 			return nil, err
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@ -641,22 +641,26 @@ var _ = Describe("Podman run networking", func() {
 		Expect(run.OutputToString()).To(ContainSubstring(ipAddr))
 	})

-	It("podman rootless fails custom CNI network with --uidmap", func() {
-		SkipIfNotRootless("The configuration works with rootless")
-
+	It("podman cni network works across user ns", func() {
 		netName := stringid.GenerateNonCryptoID()
 		create := podmanTest.Podman([]string{"network", "create", netName})
 		create.WaitWithDefaultTimeout()
 		Expect(create.ExitCode()).To(BeZero())
 		defer podmanTest.removeCNINetwork(netName)

-		run := podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "true"})
+		name := "nc-server"
+		run := podmanTest.Podman([]string{"run", "-d", "--name", name, "--net", netName, ALPINE, "nc", "-l", "-p", "8080"})
 		run.WaitWithDefaultTimeout()
-		Expect(run.ExitCode()).To(Equal(125))
+		Expect(run.ExitCode()).To(Equal(0))

-		remove := podmanTest.Podman([]string{"network", "rm", netName})
-		remove.WaitWithDefaultTimeout()
-		Expect(remove.ExitCode()).To(BeZero())
+		run = podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "sh", "-c", fmt.Sprintf("echo podman | nc -w 1 %s.dns.podman 8080", name)})
+		run.WaitWithDefaultTimeout()
+		Expect(run.ExitCode()).To(Equal(0))
+
+		log := podmanTest.Podman([]string{"logs", name})
+		log.WaitWithDefaultTimeout()
+		Expect(log.ExitCode()).To(Equal(0))
+		Expect(log.OutputToString()).To(Equal("podman"))
 	})

 	It("podman run with new:pod and static-ip", func() {