From 53755727a2b064e7c94672f6457e95d1c237e351 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 10:58:24 -0400 Subject: [PATCH 1/3] server: don't recalculate hostnet Signed-off-by: Peter Hunt --- server/container_create.go | 9 --------- server/container_create_linux.go | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index df08616358a..dd2b6568ef9 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -399,15 +399,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa return nil } -func hostNetwork(containerConfig *types.ContainerConfig) bool { - securityContext := containerConfig.Linux.SecurityContext - if securityContext == nil || securityContext.NamespaceOptions == nil { - return false - } - - return securityContext.NamespaceOptions.Network == types.NamespaceModeNODE -} - // CreateContainer creates a new container in specified PodSandbox func (s *Server) CreateContainer(ctx context.Context, req *types.CreateContainerRequest) (res *types.CreateContainerResponse, retErr error) { log.Infof(ctx, "Creating container: %s", translateLabelsToDescription(req.Config.Labels)) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index bbca6fa9a1e..a8ccaae0dcb 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -543,7 +543,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai }) } - if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNetwork(containerConfig) { + if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNet { // Only bind mount for host netns and when CRI does not give us any hosts file ctr.SpecAddMount(rspec.Mount{ Destination: "/etc/hosts", From b40d9220b4df6e90bf843a89e5b56e8b0b51d3e9 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 11:31:53 -0400 Subject: [PATCH 2/3] server: use container level host network setting to remain consistent with other times it's specified Signed-off-by: Peter Hunt --- server/container_create_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index a8ccaae0dcb..dc106b8b5e7 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -452,7 +452,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai } // If the sandbox is configured to run in the host network, do not create a new network namespace - if sb.HostNetwork() { + if hostNet { if err := specgen.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil { return nil, err } From 54f343719f77be29c2ab2c5f4f4768de92ab2203 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 11:31:09 -0400 Subject: [PATCH 3/3] server: mount cgroup if hostNetwork Signed-off-by: Peter Hunt --- server/container_create_linux.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index dc106b8b5e7..0b59fabeb9f 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -458,13 +458,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai } if !isInCRIMounts("/sys", containerConfig.Mounts) { - specgen.RemoveMount("/sys") ctr.SpecAddMount(rspec.Mount{ Destination: "/sys", Type: "sysfs", Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }) + ctr.SpecAddMount(rspec.Mount{ + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, + }) } }