Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman container image contains too many host namespaces #13714

Closed
Luap99 opened this issue Mar 30, 2022 · 9 comments · Fixed by #14501
Closed

Podman container image contains too many host namespaces #13714

Luap99 opened this issue Mar 30, 2022 · 9 comments · Fixed by #14501
Assignees
@cdoern
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@Luap99
Copy link
Member

Luap99 commented Mar 30, 2022

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

IMO the podman container image should behave as much as possible like a normal podman on the actual host.
Currently most namespaces are set to host via container.conf in the image:

podman/contrib/podmanimage/stable/containers.conf

Lines 2 to 6 in ff8834f

netns="host"
userns="host"
ipcns="host"
utsns="host"
cgroupns="host"

I understand that some namespaces do not work as well when they are nested, for example the network namespace.

However I do not see reason why uts or ipc is set to host. The list does not specify pid namespace so this is already private.

The discussion come up when testing new images in the upgrade test: #13697

Steps ns to reproduce the issue:

$ sudo bin/podman run --rm --privileged --net=host quay.io/podman/stable:v3.4.0 podman pod create --name foo
Error: invalid config provided: cannot set hostname when running in the host UTS namespace: invalid configuration

Describe the results you received:
Podman pod create does not work out of the box. User have to change containers.conf manually since there is not --uts option for podman pod create.

Describe the results you expected:
It should work.

Additional information you deem important (e.g. issue happens only occasionally):

#11969
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 30, 2022
@Luap99 Luap99 mentioned this issue Mar 30, 2022
Merged
@edsantiago edsantiago changed the title Podman container image contains to many host namespaces Podman container image contains too many host namespaces Mar 30, 2022
@rhatdan
Copy link
Member

rhatdan commented Mar 30, 2022

The basic idea of podman and buildah inside of a container, is you already have separate namespaces from the parent container, so use them. Rather then add the complexity of multiple different namespaces.

@rhatdan
Copy link
Member

rhatdan commented Mar 30, 2022

Uts should match up with what we decide for network though.

@Luap99
Copy link
Member Author

Luap99 commented Mar 30, 2022

Sure but then podman should be working with a host uts namespace.

Also buildah ignores most containers.conf settings, see containers/buildah#3836

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented May 2, 2022

@Luap99 any movement on this?

@Luap99
Copy link
Member Author

Luap99 commented May 5, 2022

No I think it is not a good idea to have many host namespaces in the container. This will result in vastly different behaviour between podman in a container and on the host.

Anyway the current state is that podman pod create is broken when you have uts set to host (not relevant if container or not) so we should fix this.

@Luap99 Luap99 mentioned this issue May 5, 2022
Closed
Luap99 added a commit to Luap99/libpod that referenced this issue May 6, 2022
@Luap99
pod create: work with uts host namespace
1594544 
When you have utsns="host" set in containers.conf the podman pod create
command currently fails because it always sets a hostname for the pod.
This is wrong, we only want a hostname with a private uts namespace.
Otherwise we should ignore it.

The test currently cannot work rootless because containers#13763.

Ref containers#13714

Signed-off-by: Paul Holzinger <[email protected]>
@github-actions
Copy link

github-actions bot commented Jun 5, 2022

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jun 6, 2022

@cdoern PTAL

@cdoern cdoern self-assigned this Jun 6, 2022
@cdoern
Copy link
Contributor

cdoern commented Jun 6, 2022

@Luap99 would this be satisfied by adding the --uts flag to pod create? I can wire that up today

@cdoern cdoern mentioned this issue Jun 6, 2022
Merged
cdoern added a commit to cdoern/podman that referenced this issue Jul 5, 2022
@cdoern
podman pod create --uts support
8f2d9e7 
add support for the --uts flag in pod create, allowing users to avoid
issues with default values in containers.conf.

uts follows the same format as other namespace flags:
--uts=private (default), --uts=host, --uts=ns:PATH

resolves containers#13714

Signed-off-by: Charlie Doern <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cdoern cdoern

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

podman pod create --uts support cdoern/podman
3 participants
@rhatdan @cdoern @Luap99