Add support for ipc namespace modes "none, private, sharable" #13583
Conversation
openshift-ci
bot
added
the
approved
|
@mheon Currently we don't record the IPCMode of a container, but in order to get --ipcmod=private to work properly, we need to check if the container we are trying to share IPCMode with is marked as private, and then reject the connection. How would you like me to record this information? Should we just add it to the config? |
rhatdan
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Requires: containers/common#972 |
|
Why do we need to record it? For other namespaces we just reverse-engineer it from the OCI spec |
|
I don't think they can regenerate it from the spec. "private" means that the container can not be shared with another container. There is nothing in the spec to indicate this as different then "sharable". |
pkg/specgen/generate/namespaces.go
Outdated
| @@ -134,9 +135,13 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. | |||
| if err != nil { | |||
| return nil, errors.Wrapf(err, "error looking up container to share ipc namespace with") | |||
| } | |||
| if ipcCtr.Config().IPCMode.IsPrivate() { | |||
There was a problem hiding this comment.
Should use .ConfigNoCopy() or however this function was called.
|
@rhatdan If the only thing we're worried about is shareable IPC, I think a |
|
Actually, I wonder if we even need the 3 states. Just a bool is probably file - |
rhatdan
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@mheon We care about whether the IPC Mode was none as well. Sharable, Private, None. I think we end up being Mode, so I am not sure why we don't just record it. |
|
None is easy, just check that the bool is false (not creating shareable IPC) and the IPC namespace is missing from the OCI spec |
docs/source/markdown/podman-run.1.md
Outdated
| - **ns:**_path_: path to an IPC namespace to join. | ||
| - **private**: private IPC namespace. | ||
| = **shareable**: private IPC with a possibility to share it with other containers. |
rhatdan
force-pushed
the
ipc
branch
2 times, most recently
from
1e12746 to
f3c7883
Compare
|
@mheon None does not mean don't create the IPC namespace, it means create the ipc namespace but don't mount tmpfs on /dev/shm. --ipc=host means don't create the ipc namespace. Thus we have to save the mode. |
|
Then we probably want a separate "NoCreateSHM" bool. I really do not want to store the literal mode in the DB, we did that with network and it has not worked out well for us - string-comparing against a user-provided string in the DB to determine what mode we are in is complicated. |
|
Do you want noshareshm, which would indicate what we are doing. We still could not tell the difference in the podman contanier inspect though. Or do you want two booleans. |
|
@rhatdan Two bools, one for "do not create any SHM", one for "create a shareable SHM" |
openshift-ci
bot
added
the
needs-rebase
openshift-ci
bot
removed
the
needs-rebase
rhatdan
force-pushed
the
ipc
branch
3 times, most recently
from
85bf788 to
3478fe3
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
| a private IPC namespace. | ||
|
|
||
| - "": Use Podman's default, defined in containers.conf. | ||
| - **container:**_id_: reuses another container's shared memory, semaphores, and message queues |
There was a problem hiding this comment.
nit
| - **container:**_id_: reuses another container's shared memory, semaphores, and message queues | |
| - **container:**_id_: reuses another container's shared memory, semaphores, and message queues. |
| @@ -528,9 +528,13 @@ To specify multiple static IPv6 addresses per container, set multiple networks u | |||
| Set the IPC namespace mode for a container. The default is to create | |||
| a private IPC namespace. | |||
|
|
|||
| - "": Use Podman's default, defined in containers.conf. | |||
| - **container:**_id_: reuses another container shared memory, semaphores and message queues | |||
|
A couple of missing periods that can be addressed later. LGTM, but I would like a head nod from @mheon as he had a couple of comments in previous passes. |
|
Will review after lunch |
libpod/container_inspect.go
Outdated
| } else if ctrSpec.Linux != nil { | ||
| switch { | ||
| case !c.config.ShmShare: | ||
| hostConfig.IpcMode = "private" |
There was a problem hiding this comment.
Won't this be true for ipc=container: as well?
There was a problem hiding this comment.
ShmShare would be set for them.
libpod/container_config.go
Outdated
| // ShmShare indicates whether /dev/shm can be shared with other containers | ||
| ShmShare bool `json:"ShmShare,omitempty"` | ||
| // ShmMount indicates whether a tmpfs should be created and mounted on /dev/shm | ||
| ShmMount bool `json:"ShmMount,omitempty"` |
There was a problem hiding this comment.
This could break old containers, which won't have this set to true - maybe NoShmMount instead?
Fixes: containers#13265 Signed-off-by: Daniel J Walsh <[email protected]>
|
/lgtm |
openshift-ci
bot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
Fixes: #13265
Signed-off-by: Daniel J Walsh [email protected]