defer creation of sysctl until after all namespaces have been created

there is a bug in rootless podman that does not allow users to set kernel.domainname because the uts namespace is not set up before the sysctl's are added. I moved the libcrun_set_sysctl down to a point where i think all of the namespaces have been created Signed-off-by: Charlie Doern <[email protected]>
containers · Aug 5, 2022 · b4a6eb7 · b4a6eb7
1 parent b66340c
commit b4a6eb7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 25 deletions.
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -1058,10 +1058,6 @@ container_init_setup (void *args, pid_t own_pid, char *notify_socket,
   if (has_terminal && entrypoint_args->context->console_socket)
     console_socket = entrypoint_args->console_socket_fd;
 
-  ret = libcrun_set_sysctl (container, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
   ret = libcrun_container_notify_handler (entrypoint_args, HANDLER_CONFIGURE_BEFORE_MOUNTS, container, rootfs, err);
   if (UNLIKELY (ret < 0))
     return ret;
@@ -1240,6 +1236,11 @@ container_init_setup (void *args, pid_t own_pid, char *notify_socket,
         return ret;
     }
 
+  // set sysctl after namespaces are created
+  ret = libcrun_set_sysctl (container, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
   capabilities = def->process ? def->process->capabilities : NULL;
   no_new_privs = def->process ? def->process->no_new_privileges : 1;
   ret = libcrun_set_caps (capabilities, container->container_uid, container->container_gid, no_new_privs, err);

diff --git a/tests/test_start.py b/tests/test_start.py
@@ -200,34 +200,19 @@ def test_uts_sysctl():
                 run_crun_command(["delete", "-f", cid])
 
     conf = base_config()
-    conf['process']['args'] = ['/init', 'true']
-    add_all_namespaces(conf, utsns=False)
-    conf['linux']['sysctl'] = {'kernel.domainname' : 'foo'}
-    cid = None
-    try:
-        _, cid = run_and_get_output(conf)
-        sys.stderr.write("unexpected success\n")
-        return -1
-    except:
-        return 0
-    finally:
-        if cid is not None:
-            run_crun_command(["delete", "-f", cid])
-
-    conf = base_config()
-    conf['process']['args'] = ['/init', 'true']
-    add_all_namespaces(conf)
-    conf['linux']['sysctl'] = {'kernel.domainname' : 'foo'}
+    conf['process']['args'] = ['./init', 'cat', '/etc/hosts']
+    add_all_namespaces(conf, utsns=True)
+    conf['linux']['sysctl'] = {'kernel.domainname' : 'baz.foo'}
     cid = None
     try:
-        _, cid = run_and_get_output(conf)
-        return 0
+        out, _ = run_and_get_output(conf)
+        if "baz.foo" not in str(out):
+            return -1
     except:
         return -1
     finally:
         if cid is not None:
             run_crun_command(["delete", "-f", cid])
-    return 0
 
 def test_start():
     conf = base_config()