IPCMode default mode should be sharable not private

Docker defined --ipc=private to mean that the container's IPC Namespace can NOT be shared with another container. While --ipc=shareable can, which is our current default. Docker also defines "none" which means the container runs in a IPC namespace but does NOT mount a /dev/shm. "Host" means the container runs in the host namespace, and container:UUID means run new container in other containers namespace. ns:PATH means run in the namepsace designated in PATH.2 This Patch, fixes containers/common to reflect the correct default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-03-21 14:48:22 -04:00 · 2022-03-21 14:48:22 -04:00 · 54be5eba7e
parent ef489d60fa
commit 54be5eba7e
4 changed files with 12 additions and 7 deletions
--- a/common/docs/containers.conf.5.md
+++ b/common/docs/containers.conf.5.md
@ -162,12 +162,14 @@ Path to the container-init binary, which forwards signals and reaps processes
 within containers. Note that the container-init binary will only be used when
 the `--init` for podman-create and podman-run is set.

-**ipcns**="private"
+**ipcns**="shareable"

 Default way to to create a IPC namespace for the container.
 Options are:
-  `private` Create private IPC Namespace for the container.
-  `host`    Share host IPC Namespace with the container.
+  `host`     Share host IPC Namespace with the container.
+  `none`     Create shareable IPC Namespace for the container without a private /dev/shm.
+  `private`  Create private IPC Namespace for the container, other containers are not allowed to share it.
+  `shareable` Create shareable IPC Namespace for the container.

 **keyring**=true

--- a/common/pkg/config/config_test.go
+++ b/common/pkg/config/config_test.go
@ -30,6 +30,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
 			gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5))
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
+			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
 			gomega.Expect(defaultConfig.Engine.InfraImage).To(gomega.BeEquivalentTo(""))
 			path, err := defaultConfig.ImageCopyTmpDir()
 			gomega.Expect(err).To(gomega.BeNil())
--- a/common/pkg/config/containers.conf
+++ b/common/pkg/config/containers.conf
@ -133,10 +133,12 @@ default_sysctls = [

 # Default way to to create an IPC namespace (POSIX SysV IPC) for the container
 # Options are:
-# `private` Create private IPC Namespace for the container.
-# `host`    Share host IPC Namespace with the container.
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
 #
-#ipcns = "private"
+#ipcns = "shareable"

 # keyring tells the container engine whether to create
 # a kernel keyring for use within the container.
--- a/common/pkg/config/default.go
+++ b/common/pkg/config/default.go
@ -205,7 +205,7 @@ func DefaultConfig() (*Config, error) {
 			HTTPProxy:  true,
 			Init:       false,
 			InitPath:   "",
-			IPCNS:      "private",
+			IPCNS:      "shareable",
 			LogDriver:  defaultLogDriver(),
 			LogSizeMax: DefaultLogSizeMax,
 			NetNS:      "private",