Allow chained network namespace containers

The code currently assumes that the container we delegate network namespace to will never further delegate to another container, so when looking up things like /etc/hosts and /etc/resolv.conf we won't pull the correct files from the chained dependency. The changes to resolve this are relatively simple - just need to keep looking until we find a container without NetNsCtr set. Fixes containers#4626 Signed-off-by: Matthew Heon <[email protected]>
giuseppe · Dec 3, 2019 · b0b9103 · b0b9103
1 parent c9696c4
commit b0b9103
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/libpod/container.go b/libpod/container.go
@@ -1146,7 +1146,7 @@ func (c *Container) NetworkDisabled() (bool, error) {
 		if err != nil {
 			return false, err
 		}
-		return networkDisabled(container)
+		return container.NetworkDisabled()
 	}
 	return networkDisabled(c)
 

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -1016,9 +1016,24 @@ func (c *Container) makeBindMounts() error {
 			// We want /etc/resolv.conf and /etc/hosts from the
 			// other container. Unless we're not creating both of
 			// them.
-			depCtr, err := c.runtime.state.Container(c.config.NetNsCtr)
-			if err != nil {
-				return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
+			var (
+				depCtr  *Container
+				nextCtr string
+			)
+
+			// I don't like infinite loops, but I don't think there's
+			// a serious risk of looping dependencies - too many
+			// protections against that elsewhere.
+			nextCtr = c.config.NetNsCtr
+			for {
+				depCtr, err = c.runtime.state.Container(nextCtr)
+				if err != nil {
+					return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID())
+				}
+				nextCtr = depCtr.config.NetNsCtr
+				if nextCtr == "" {
+					break
+				}
 			}
 
 			// We need that container's bind mounts