podman: rootless net dependency fails to mount SHM

[haircommander]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When running in rootless, adding a net dependency somehow messes with the ipc namespace. Somehow, a container fails to mount SHM.

Steps to reproduce the issue:

1.podman run -d --add-host redis:127.0.0.1 --name c1 busybox httpd -f -p 80
2.podman run --net container:c1 busybox ping -c 5 redis

Describe the results you received:
Error: failed to mount shm tmpfs "/home/demo/.local/share/containers/storage/vfs-containers/34bed25987df37b0f50cc7576899c68ead675b4c45e19695825d2b7f20dab856/userdata/shm": operation not permitted

Describe the results you expected:
a successful ping to the redis host, with no failure to mount tmpfs.
Specifically, I expected it to work the same as the same in root, or this in rootless:
podman run -d --add-host redis:127.0.0.1 --name c1 busybox httpd -f -p 80
podman run --net container:c1 --ipc host busybox ping -c 5 redis

I also expect it to work similarly to this, but without failing the redis ping
podman run -d --add-host redis:127.0.0.1 --name c1 busybox httpd -f -p 80
podman run busybox ping -c 5 redis

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:            1.2.0-dev
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         189b63a3b2e17f27c14cc9dcb6626e68f36a026e-dirty
Built:              Tue Mar  5 16:11:17 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

 $ podman info --debug
debug:
  compiler: gc
  git commit: 189b63a3b2e17f27c14cc9dcb6626e68f36a026e-dirty
  go version: go1.11.5
  podman version: 1.2.0-dev
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: Unknown
    path: /usr/libexec/crio/conmon
    version: 'conmon version 1.14.0-dev, commit: 0144cc61fdce653563be8f14926594dbaf840d18'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 27468763136
  MemTotal: 33072807936
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16605245440
  SwapTotal: 16605245440
  arch: amd64
  cpus: 8
  hostname: localhost.localdomain
  kernel: 4.20.13-200.fc29.x86_64
  os: linux
  rootless: true
  uptime: 33m 46.91s
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/pehunt/.config/containers/storage.conf
  ContainerStore:
    number: 4
  GraphDriverName: vfs
  GraphOptions: null
  GraphRoot: /home/pehunt/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 4
  RunRoot: /run/user/1000
  VolumePath: /home/pehunt/.local/share/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):
fedora 29 desktop

[haircommander]

thanks to @muayyad-alsadi for pointing out this issue in #2504

[haircommander]

@giuseppe @mheon PTAL, I tried finding it but I couldn't get anywhere, I can't find any namespace interaction that indicates this should happen.

[giuseppe]

it is very similar to another issue that was reported today and I had already opened a PR for.

I've added another patch to address this case as well: #2569