IPCMode default mode should be sharable not private

Docker defined --ipc=private to mean that the container's IPC Namespace can NOT be shared with another container. While --ipc=shareable can, which is our current default. Docker also defines "none" which means the container runs in a IPC namespace but does NOT mount a /dev/shm. "Host" means the container runs in the host namespace, and container:UUID means run new container in other containers namespace. ns:PATH means run in the namepsace designated in PATH.2 This Patch, fixes containers/common to reflect the correct default. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Mar 22, 2022 · 0ccf732 · 0ccf732
1 parent c058991
commit 0ccf732
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
@@ -162,12 +162,14 @@ Path to the container-init binary, which forwards signals and reaps processes
 within containers. Note that the container-init binary will only be used when
 the `--init` for podman-create and podman-run is set.
 
-**ipcns**="private"
+**ipcns**="shareable"
 
 Default way to to create a IPC namespace for the container.
 Options are:
-  `private` Create private IPC Namespace for the container.
-  `host`    Share host IPC Namespace with the container.
+  `host`     Share host IPC Namespace with the container.
+  `none`     Create shareable IPC Namespace for the container without a private /dev/shm.
+  `private`  Create private IPC Namespace for the container, other containers are not allowed to share it.
+  `shareable` Create shareable IPC Namespace for the container.
 
 **keyring**=true
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -30,6 +30,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
 			gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5))
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
+			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
 			gomega.Expect(defaultConfig.Engine.InfraImage).To(gomega.BeEquivalentTo(""))
 			path, err := defaultConfig.ImageCopyTmpDir()
 			gomega.Expect(err).To(gomega.BeNil())

diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
@@ -133,10 +133,12 @@ default_sysctls = [
 
 # Default way to to create an IPC namespace (POSIX SysV IPC) for the container
 # Options are:
-# `private` Create private IPC Namespace for the container.
-# `host`    Share host IPC Namespace with the container.
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
 #
-#ipcns = "private"
+#ipcns = "shareable"
 
 # keyring tells the container engine whether to create
 # a kernel keyring for use within the container.

diff --git a/pkg/config/default.go b/pkg/config/default.go
@@ -205,7 +205,7 @@ func DefaultConfig() (*Config, error) {
 			HTTPProxy:  true,
 			Init:       false,
 			InitPath:   "",
-			IPCNS:      "private",
+			IPCNS:      "shareable",
 			LogDriver:  defaultLogDriver(),
 			LogSizeMax: DefaultLogSizeMax,
 			NetNS:      "private",