From 16fc9fc52b52c21103a8d0f1d1de3a1a5ccc44b4 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 10:58:24 -0400 Subject: [PATCH 1/3] server: don't recalculate hostnet Signed-off-by: Peter Hunt --- server/container_create.go | 9 --------- server/container_create_linux.go | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index 9d00b974206..c3c951e6cb0 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -399,15 +399,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa return nil } -func hostNetwork(containerConfig *types.ContainerConfig) bool { - securityContext := containerConfig.Linux.SecurityContext - if securityContext == nil || securityContext.NamespaceOptions == nil { - return false - } - - return securityContext.NamespaceOptions.Network == types.NamespaceModeNODE -} - // CreateContainer creates a new container in specified PodSandbox func (s *Server) CreateContainer(ctx context.Context, req *types.CreateContainerRequest) (res *types.CreateContainerResponse, retErr error) { log.Infof(ctx, "Creating container: %s", translateLabelsToDescription(req.Config.Labels)) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index ec2679f2f13..f5d822f472d 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -525,7 +525,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai }) } - if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNetwork(containerConfig) { + if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNet { // Only bind mount for host netns and when CRI does not give us any hosts file ctr.SpecAddMount(rspec.Mount{ Destination: "/etc/hosts", From ada07934878cd65bd9742274698260e20822eea3 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 11:31:53 -0400 Subject: [PATCH 2/3] server: use container level host network setting to remain consistent with other times it's specified Signed-off-by: Peter Hunt --- server/container_create_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index f5d822f472d..992e4cc4dab 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -434,7 +434,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai } // If the sandbox is configured to run in the host network, do not create a new network namespace - if sb.HostNetwork() { + if hostNet { if err := specgen.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil { return nil, err } From 97e20e7ec3599cc1ccece801429520ef6924ca7d Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 23 Aug 2021 11:31:09 -0400 Subject: [PATCH 3/3] server: mount cgroup if hostNetwork Signed-off-by: Peter Hunt --- server/container_create_linux.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index 992e4cc4dab..ce83efeba8d 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -440,13 +440,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai } if !isInCRIMounts("/sys", containerConfig.Mounts) { - specgen.RemoveMount("/sys") ctr.SpecAddMount(rspec.Mount{ Destination: "/sys", Type: "sysfs", Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }) + ctr.SpecAddMount(rspec.Mount{ + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, + }) } }