containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8960 from giuseppe/bridge-no-post-config 

network: disallow CNI networks with user namespaces
This commit is contained in:
OpenShift Merge Robot 2021-01-13 14:28:20 -05:00 committed by GitHub
parent b2b14235aa ee684667a6
commit bbff9c8710
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/specgen/generate/namespaces.go
View File

@ -236,6 +236,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
case specgen.Private: case specgen.Private:
fallthrough fallthrough
case specgen.Bridge: case specgen.Bridge:
if postConfigureNetNS && rootless.IsRootless() {
return nil, errors.New("CNI networks not supported with user namespaces")
}
portMappings, err := createPortMappings(ctx, s, img) portMappings, err := createPortMappings(ctx, s, img)
if err != nil { if err != nil {
return nil, err return nil, err

22
test/e2e/run_networking_test.go
View File

@ -622,7 +622,7 @@ var _ = Describe("Podman run networking", func() {
It("podman run in custom CNI network with --static-ip", func() { It("podman run in custom CNI network with --static-ip", func() {
SkipIfRootless("Rootless mode does not support --ip") SkipIfRootless("Rootless mode does not support --ip")
netName := "podmantestnetwork" netName := stringid.GenerateNonCryptoID()
ipAddr := "10.25.30.128" ipAddr := "10.25.30.128"
create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName}) create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName})
create.WaitWithDefaultTimeout() create.WaitWithDefaultTimeout()
@ -639,9 +639,27 @@ var _ = Describe("Podman run networking", func() {
Expect(create.ExitCode()).To(BeZero()) Expect(create.ExitCode()).To(BeZero())
}) })
It("podman rootless fails custom CNI network with --uidmap", func() {
SkipIfNotRootless("The configuration works with rootless")
netName := stringid.GenerateNonCryptoID()
create := podmanTest.Podman([]string{"network", "create", netName})
create.WaitWithDefaultTimeout()
Expect(create.ExitCode()).To(BeZero())
defer podmanTest.removeCNINetwork(netName)
run := podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "true"})
run.WaitWithDefaultTimeout()
Expect(run.ExitCode()).To(Equal(125))
remove := podmanTest.Podman([]string{"network", "rm", netName})
remove.WaitWithDefaultTimeout()
Expect(remove.ExitCode()).To(BeZero())
})
It("podman run with new:pod and static-ip", func() { It("podman run with new:pod and static-ip", func() {
SkipIfRootless("Rootless does not support --ip") SkipIfRootless("Rootless does not support --ip")
netName := "podmantestnetwork2" netName := stringid.GenerateNonCryptoID()
ipAddr := "10.25.40.128" ipAddr := "10.25.40.128"
podname := "testpod" podname := "testpod"
create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName}) create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName})