patch for pod host networking & other host namespace handling

this patch included additonal host namespace checks when creating a ctr as well
as fixing of the tests to check /proc/self/ns/net

see #14461

Signed-off-by: cdoern <cdoern@redhat.com>

libpod/pod.go

@@ -178,8 +178,8 @@ func (p *Pod) NetworkMode() string {
 	return infra.NetworkMode()
 }
 
-// PidMode returns the PID mode given by the user ex: pod, private...
-func (p *Pod) PidMode() string {
+// Namespace Mode returns the given NS mode provided by the user ex: host, private...
+func (p *Pod) NamespaceMode(kind specs.LinuxNamespaceType) string {
 	infra, err := p.runtime.GetContainer(p.state.InfraContainerID)
 	if err != nil {
 		return ""
@@ -187,28 +187,7 @@ func (p *Pod) PidMode() string {
 	ctrSpec := infra.config.Spec
 	if ctrSpec != nil && ctrSpec.Linux != nil {
 		for _, ns := range ctrSpec.Linux.Namespaces {
-			if ns.Type == specs.PIDNamespace {
-				if ns.Path != "" {
-					return fmt.Sprintf("ns:%s", ns.Path)
-				}
-				return "private"
-			}
-		}
-		return "host"
-	}
-	return ""
-}
-
-// PidMode returns the PID mode given by the user ex: pod, private...
-func (p *Pod) UserNSMode() string {
-	infra, err := p.infraContainer()
-	if err != nil {
-		return ""
-	}
-	ctrSpec := infra.config.Spec
-	if ctrSpec != nil && ctrSpec.Linux != nil {
-		for _, ns := range ctrSpec.Linux.Namespaces {
-			if ns.Type == specs.UserNamespace {
+			if ns.Type == kind {
 				if ns.Path != "" {
 					return fmt.Sprintf("ns:%s", ns.Path)
 				}

libpod/pod_api.go

@@ -9,6 +9,7 @@ import (
 	"github.com/containers/podman/v4/libpod/events"
 	"github.com/containers/podman/v4/pkg/parallel"
 	"github.com/containers/podman/v4/pkg/rootless"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -673,8 +674,8 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
 		infraConfig.CPUPeriod = p.CPUPeriod()
 		infraConfig.CPUQuota = p.CPUQuota()
 		infraConfig.CPUSetCPUs = p.ResourceLim().CPU.Cpus
-		infraConfig.PidNS = p.PidMode()
-		infraConfig.UserNS = p.UserNSMode()
+		infraConfig.PidNS = p.NamespaceMode(specs.PIDNamespace)
+		infraConfig.UserNS = p.NamespaceMode(specs.UserNamespace)
 		namedVolumes, mounts := infra.SortUserVolumes(infra.config.Spec)
 		inspectMounts, err = infra.GetMounts(namedVolumes, infra.config.ImageVolumes, mounts)
 		infraSecurity = infra.GetSecurityOptions()

pkg/specgen/generate/namespaces.go

@@ -19,6 +19,8 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const host = "host"
+
 // Get the default namespace mode for any given namespace type.
 func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod) (specgen.Namespace, error) {
 	// The default for most is private
@@ -33,19 +35,38 @@ func GetDefaultNamespaceMode(nsType string, cfg *config.Config, pod *libpod.Pod)
 		podMode := false
 		switch {
 		case nsType == "pid" && pod.SharesPID():
+			if pod.NamespaceMode(spec.PIDNamespace) == host {
+				toReturn.NSMode = specgen.Host
+				return toReturn, nil
+			}
 			podMode = true
 		case nsType == "ipc" && pod.SharesIPC():
+			if pod.NamespaceMode(spec.IPCNamespace) == host {
+				toReturn.NSMode = specgen.Host
+				return toReturn, nil
+			}
 			podMode = true
 		case nsType == "uts" && pod.SharesUTS():
+			if pod.NamespaceMode(spec.UTSNamespace) == host {
+				toReturn.NSMode = specgen.Host
+				return toReturn, nil
+			}
 			podMode = true
 		case nsType == "user" && pod.SharesUser():
+			// user does not need a special check for host, this is already validated on pod creation
+			// if --userns=host then pod.SharesUser == false
 			podMode = true
 		case nsType == "net" && pod.SharesNet():
+			if pod.NetworkMode() == host {
+				toReturn.NSMode = specgen.Host
+				return toReturn, nil
+			}
 			podMode = true
-		case nsType == "net" && pod.NetworkMode() == "host":
-			toReturn.NSMode = specgen.Host
-			return toReturn, nil
 		case nsType == "cgroup" && pod.SharesCgroup():
+			if pod.NamespaceMode(spec.CgroupNamespace) == host {
+				toReturn.NSMode = specgen.Host
+				return toReturn, nil
+			}
 			podMode = true
 		}
 		if podMode {
@@ -491,10 +512,7 @@ func GetNamespaceOptions(ns []string, netnsIsHost bool) ([]libpod.PodCreateOptio
 		case "cgroup":
 			options = append(options, libpod.WithPodCgroup())
 		case "net":
-			// share the netns setting with other containers in the pod only when it is not set to host
-			if !netnsIsHost {
-				options = append(options, libpod.WithPodNet())
-			}
+			options = append(options, libpod.WithPodNet())
 		case "mnt":
 			return erroredOptions, errors.Errorf("Mount sharing functionality not supported on pod level")
 		case "pid":

test/e2e/pod_infra_container_test.go

@@ -130,14 +130,24 @@ var _ = Describe("Podman pod create", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
-		session = podmanTest.Podman([]string{"run", "-dt", "--pod", session.OutputToString(), ALPINE})
+		session = podmanTest.Podman([]string{"run", "--name", "hostCtr", "--pod", session.OutputToString(), ALPINE, "readlink", "/proc/self/ns/net"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
-		session = podmanTest.Podman([]string{"inspect", "--format", "'{{.NetworkSettings.SandboxKey}}'", session.OutputToString()})
+		ns := SystemExec("readlink", []string{"/proc/self/ns/net"})
+		ns.WaitWithDefaultTimeout()
+		Expect(ns).Should(Exit(0))
+		netns := ns.OutputToString()
+		Expect(netns).ToNot(BeEmpty())
+
+		Expect(session.OutputToString()).To(Equal(netns))
+
+		// Sanity Check for podman inspect
+		session = podmanTest.Podman([]string{"inspect", "--format", "'{{.NetworkSettings.SandboxKey}}'", "hostCtr"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).Should(ContainSubstring("''")) // no network path... host
+		Expect(session.OutputToString()).Should(Equal("''")) // no network path... host
+
 	})
 
 	It("podman pod correctly sets up IPCNS", func() {