From 0ccf73213dafcacf69619af66fc03ecd13e5af33 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 21 Mar 2022 14:48:22 -0400 Subject: [PATCH] IPCMode default mode should be sharable not private Docker defined --ipc=private to mean that the container's IPC Namespace can NOT be shared with another container. While --ipc=shareable can, which is our current default. Docker also defines "none" which means the container runs in a IPC namespace but does NOT mount a /dev/shm. "Host" means the container runs in the host namespace, and container:UUID means run new container in other containers namespace. ns:PATH means run in the namepsace designated in PATH.2 This Patch, fixes containers/common to reflect the correct default. Signed-off-by: Daniel J Walsh --- docs/containers.conf.5.md | 8 +++++--- pkg/config/config_test.go | 1 + pkg/config/containers.conf | 8 +++++--- pkg/config/default.go | 2 +- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md index f5203912b..3ef98dfad 100644 --- a/docs/containers.conf.5.md +++ b/docs/containers.conf.5.md @@ -162,12 +162,14 @@ Path to the container-init binary, which forwards signals and reaps processes within containers. Note that the container-init binary will only be used when the `--init` for podman-create and podman-run is set. -**ipcns**="private" +**ipcns**="shareable" Default way to to create a IPC namespace for the container. Options are: - `private` Create private IPC Namespace for the container. - `host` Share host IPC Namespace with the container. + `host` Share host IPC Namespace with the container. + `none` Create shareable IPC Namespace for the container without a private /dev/shm. + `private` Create private IPC Namespace for the container, other containers are not allowed to share it. + `shareable` Create shareable IPC Namespace for the container. **keyring**=true diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index f1f9b1f43..9d3dbe6fb 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -30,6 +30,7 @@ var _ = Describe("Config", func() { gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048)) gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5)) gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private")) + gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable")) gomega.Expect(defaultConfig.Engine.InfraImage).To(gomega.BeEquivalentTo("")) path, err := defaultConfig.ImageCopyTmpDir() gomega.Expect(err).To(gomega.BeNil()) diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf index 1db2d704a..48ea8263b 100644 --- a/pkg/config/containers.conf +++ b/pkg/config/containers.conf @@ -133,10 +133,12 @@ default_sysctls = [ # Default way to to create an IPC namespace (POSIX SysV IPC) for the container # Options are: -# `private` Create private IPC Namespace for the container. -# `host` Share host IPC Namespace with the container. +# "host" Share host IPC Namespace with the container. +# "none" Create shareable IPC Namespace for the container without a private /dev/shm. +# "private" Create private IPC Namespace for the container, other containers are not allowed to share it. +# "shareable" Create shareable IPC Namespace for the container. # -#ipcns = "private" +#ipcns = "shareable" # keyring tells the container engine whether to create # a kernel keyring for use within the container. diff --git a/pkg/config/default.go b/pkg/config/default.go index 3255cff9d..14858e967 100644 --- a/pkg/config/default.go +++ b/pkg/config/default.go @@ -205,7 +205,7 @@ func DefaultConfig() (*Config, error) { HTTPProxy: true, Init: false, InitPath: "", - IPCNS: "private", + IPCNS: "shareable", LogDriver: defaultLogDriver(), LogSizeMax: DefaultLogSizeMax, NetNS: "private",