Merge pull request #8960 from giuseppe/bridge-no-post-config

network: disallow CNI networks with user namespaces
containers · Jan 13, 2021 · bbff9c8 · bbff9c8
2 parents b2b1423 + ee68466
commit bbff9c8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
@@ -236,6 +236,9 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 	case specgen.Private:
 		fallthrough
 	case specgen.Bridge:
+		if postConfigureNetNS && rootless.IsRootless() {
+			return nil, errors.New("CNI networks not supported with user namespaces")
+		}
 		portMappings, err := createPortMappings(ctx, s, img)
 		if err != nil {
 			return nil, err

diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
@@ -622,7 +622,7 @@ var _ = Describe("Podman run networking", func() {
 
 	It("podman run in custom CNI network with --static-ip", func() {
 		SkipIfRootless("Rootless mode does not support --ip")
-		netName := "podmantestnetwork"
+		netName := stringid.GenerateNonCryptoID()
 		ipAddr := "10.25.30.128"
 		create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName})
 		create.WaitWithDefaultTimeout()
@@ -639,9 +639,27 @@ var _ = Describe("Podman run networking", func() {
 		Expect(create.ExitCode()).To(BeZero())
 	})
 
+	It("podman rootless fails custom CNI network with --uidmap", func() {
+		SkipIfNotRootless("The configuration works with rootless")
+
+		netName := stringid.GenerateNonCryptoID()
+		create := podmanTest.Podman([]string{"network", "create", netName})
+		create.WaitWithDefaultTimeout()
+		Expect(create.ExitCode()).To(BeZero())
+		defer podmanTest.removeCNINetwork(netName)
+
+		run := podmanTest.Podman([]string{"run", "--rm", "--net", netName, "--uidmap", "0:1:4096", ALPINE, "true"})
+		run.WaitWithDefaultTimeout()
+		Expect(run.ExitCode()).To(Equal(125))
+
+		remove := podmanTest.Podman([]string{"network", "rm", netName})
+		remove.WaitWithDefaultTimeout()
+		Expect(remove.ExitCode()).To(BeZero())
+	})
+
 	It("podman run with new:pod and static-ip", func() {
 		SkipIfRootless("Rootless does not support --ip")
-		netName := "podmantestnetwork2"
+		netName := stringid.GenerateNonCryptoID()
 		ipAddr := "10.25.40.128"
 		podname := "testpod"
 		create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName})