From da82be8cbbddb4e1d2e4733e99d5d9fbfb8fed49 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Wed, 14 Apr 2021 10:34:50 -0400 Subject: [PATCH 1/2] nsmgr: fix some leaks with GetNamespace If we fail to initially attach the namespaces, we need to cleanup the ones we've already created Also, we are currently unconditionally recreating the namespaces when restoring. I believe that's from a rebase issue Signed-off-by: Peter Hunt --- internal/config/nsmgr/nsmgr.go | 5 +++ internal/lib/container_server.go | 66 +++++++++++--------------------- 2 files changed, 27 insertions(+), 44 deletions(-) diff --git a/internal/config/nsmgr/nsmgr.go b/internal/config/nsmgr/nsmgr.go index 31b87e91cd3..c3155bf4059 100644 --- a/internal/config/nsmgr/nsmgr.go +++ b/internal/config/nsmgr/nsmgr.go @@ -136,6 +136,11 @@ func (mgr *NamespaceManager) NewPodNamespaces(cfg *PodNamespacesConfig) ([]Names for _, ns := range cfg.Namespaces { ns, err := GetNamespace(ns.Path, ns.Type) if err != nil { + for _, nsToClose := range returnedNamespaces { + if err2 := nsToClose.Remove(); err2 != nil { + logrus.Errorf("failed to remove namespace after failed to create: %v", err2) + } + } return nil, err } diff --git a/internal/lib/container_server.go b/internal/lib/container_server.go index 399ce89e6dd..5f0e9cc7cce 100644 --- a/internal/lib/container_server.go +++ b/internal/lib/container_server.go @@ -199,30 +199,30 @@ func (c *ContainerServer) LoadSandbox(ctx context.Context, id string) (retErr er sb.SetSeccompProfilePath(spp) sb.SetNamespaceOptions(&nsOpts) + defer func() { + if retErr != nil { + if err := sb.RemoveManagedNamespaces(); err != nil { + log.Warnf(ctx, "failed to remove namespaces: %v", err) + } + } + }() // We add an NS only if we can load a permanent one. // Otherwise, the sandbox will live in the host namespace. - netNsPath, err := configNsPath(&m, rspec.NetworkNamespace) - if err == nil { - if nsErr := sb.NetNsJoin(netNsPath); nsErr != nil { - return nsErr - } - } - ipcNsPath, err := configNsPath(&m, rspec.IPCNamespace) - if err == nil { - if nsErr := sb.IpcNsJoin(ipcNsPath); nsErr != nil { - return nsErr - } - } - utsNsPath, err := configNsPath(&m, rspec.UTSNamespace) - if err == nil { - if nsErr := sb.UtsNsJoin(utsNsPath); nsErr != nil { - return nsErr - } - } - userNsPath, err := configNsPath(&m, rspec.UserNamespace) - if err == nil { - if nsErr := sb.UserNsJoin(userNsPath); nsErr != nil { - return nsErr + namespacesToJoin := []struct { + rspecNS rspec.LinuxNamespaceType + joinFunc func(string) error + }{ + {rspecNS: rspec.NetworkNamespace, joinFunc: sb.NetNsJoin}, + {rspecNS: rspec.IPCNamespace, joinFunc: sb.IpcNsJoin}, + {rspecNS: rspec.UTSNamespace, joinFunc: sb.UtsNsJoin}, + {rspecNS: rspec.UserNamespace, joinFunc: sb.UserNsJoin}, + } + for _, namespaceToJoin := range namespacesToJoin { + path, err := configNsPath(&m, namespaceToJoin.rspecNS) + if err == nil { + if nsErr := namespaceToJoin.joinFunc(path); err != nil { + return nsErr + } } } @@ -304,28 +304,6 @@ func (c *ContainerServer) LoadSandbox(ctx context.Context, id string) (retErr er return err } - // We add an NS only if we can load a permanent one. - // Otherwise, the sandbox will live in the host namespace. - if wasSpoofed { - namespacesToJoin := []struct { - rspecNS rspec.LinuxNamespaceType - joinFunc func(string) error - }{ - {rspecNS: rspec.NetworkNamespace, joinFunc: sb.NetNsJoin}, - {rspecNS: rspec.IPCNamespace, joinFunc: sb.IpcNsJoin}, - {rspecNS: rspec.UTSNamespace, joinFunc: sb.UtsNsJoin}, - {rspecNS: rspec.UserNamespace, joinFunc: sb.UserNsJoin}, - } - for _, namespaceToJoin := range namespacesToJoin { - path, err := configNsPath(&m, namespaceToJoin.rspecNS) - if err == nil { - if nsErr := namespaceToJoin.joinFunc(path); err != nil { - return nsErr - } - } - } - } - sb.SetCreated() if err := label.ReserveLabel(processLabel); err != nil { return err From 180b9fb9db1b308e893d058712a7752e51af7130 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Wed, 14 Apr 2021 11:20:16 -0400 Subject: [PATCH 2/2] nsmgr: remove duplicate IsNSOrErr call Signed-off-by: Peter Hunt --- internal/config/nsmgr/types.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/internal/config/nsmgr/types.go b/internal/config/nsmgr/types.go index e84c6353712..c7c7aaa08bd 100644 --- a/internal/config/nsmgr/types.go +++ b/internal/config/nsmgr/types.go @@ -116,10 +116,6 @@ func (n *namespace) Remove() error { // GetNamespace takes a path and type, checks if it is a namespace, and if so // returns an instance of the Namespace interface. func GetNamespace(nsPath string, nsType NSType) (Namespace, error) { - if err := nspkg.IsNSorErr(nsPath); err != nil { - return nil, err - } - ns, err := nspkg.GetNS(nsPath) if err != nil { return nil, err