开启用户名空间映射（userns-remap）的情况下，创建新容器时指定--net为已有容器，容器创建失败

【标题描述】开启用户名空间映射（userns-remap）的情况下，创建新容器时指定--net为已有容器，容器创建失败
【环境信息】
硬件信息：与硬件无关
软件信息：
1）与具体发型版无关
2） linux5.10
3）发现问题的组件版本信息
XXX ~ # isula version
Client:
Version: 2.0.11
Git commit: 6a7f6dd0dbc5f1a988286b0694ee219118df2102
Built: 2022-09-26T13:01:12.964905896+08:00

Server:
Version: 2.0.11
Git commit: 6a7f6dd0dbc5f1a988286b0694ee219118df2102
Built: 2022-09-26T13:01:12.964905896+08:00

OCI config:
Version: 1.0.1
Default file: /xxx/xxx/xxx/config.json
【问题复现步骤】
1）引擎开启用户名空间映射
2）创建第一个容器app1
3）创建第二个容器，指定--net container:app1
问题必现
【预期结果】
第二个容器创建成功
【实际结果】
第二个容器创建失败
【附件信息】
XXX ~ # isula create --net container:app1 oas_test
Error response from daemon: Failed to chown network file '/hostname' to XXXXX:XXXXX: No such file or directory
【初步定位信息】
当指定参数 --net container:app1 ，创建容器流程的 init_container_network_confs_container 函数在初始化容器网络配置文件 "hostname/hosts/resolv.conf" 的路径时，直接复制app1的路径。
与正常流程不一样，未在新容器的rootpath目录下创建这些配置文件。

↓ init_container_network_confs_container
 ↓ init_container_network_confs
  ↓ container_create_cb

static int init_container_network_confs_container(const char *id, const host_config *hc,
                                                  container_config_v2_common_config *v2_spec)
{
    int ret = 0;
    size_t len = strlen(SHARE_NAMESPACE_PREFIX);
    container_t *nc = NULL;

    nc = get_networked_container(id, hc->network_mode + len, false);
    if (nc == NULL) {
        ERROR("Error to get networked container");
        return -1;
    }

    if (nc->common_config->hostname_path != NULL) {
        free(v2_spec->hostname_path);
        v2_spec->hostname_path = util_strdup_s(nc->common_config->hostname_path);
    }
    if (nc->common_config->hosts_path != NULL) {
        free(v2_spec->hosts_path);
        v2_spec->hosts_path = util_strdup_s(nc->common_config->hosts_path);
    }
    if (nc->common_config->resolv_conf_path != NULL) {
        free(v2_spec->resolv_conf_path);
        v2_spec->resolv_conf_path = util_strdup_s(nc->common_config->resolv_conf_path);
    }

    if (nc->common_config->config != NULL && nc->common_config->config->hostname != NULL) {
        free(v2_spec->config->hostname);
        v2_spec->config->hostname = util_strdup_s(nc->common_config->config->hostname);
    }

但是，在后续流程的 merge_network_for_universal_container 函数中，修改网络配置文件属主时，未考虑 --net container:app1 的场景，直接修改新容器rootpath目录下的hostname文件。

↓ merge_network_for_universal_container
 ↓ merge_network
  ↓ container_create_cb

static int merge_network_for_universal_container(const host_config *host_spec, const char *runtime_root, const char *id)
{
    int ret = 0;
    int nret = 0;
    char root_path[PATH_MAX] = { 0x00 };
#ifdef ENABLE_USERNS_REMAP
    char *userns_remap = conf_get_isulad_userns_remap();
#endif

    if (runtime_root == NULL || id == NULL) {
        ERROR("empty runtime root or id");
        ret = -1;
        goto out;
    }

    nret = snprintf(root_path, PATH_MAX, "%s/%s", runtime_root, id);
    if (nret < 0 || nret >= PATH_MAX) {
        ERROR("Failed to print string");
        ret = -1;
        goto out;
    }

#ifdef ENABLE_USERNS_REMAP
    ret = chown_network(userns_remap, root_path, "/hostname");
    if (ret) {
        ret = -1;
        goto out;
    }

显然此时rootpath目录不会有这些网络配置文件，因此报错 No such file。

Hi hwzjyggsddu, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: iSulad, and any of the maintainers: @haomintsai , @lifeng_isula , @haozi007 , @jingxiaolu , @JingWoo

container_create_cb

    // 新增判断，如果是共享net的不需要调用该函数
    if (merge_network(host_spec, request->rootfs, runtime_root, id, container_spec->hostname) != 0) {
        ERROR("Failed to merge network config");
        cc = ISULAD_ERR_EXEC;
        goto umount_shm;
    }

/close

@zhangxiaoyu you can't close an issue unless you are the author of it or a collaborator.

/close

GVP openEuler / iSulad

内容风险标识

评论 (5)

GVPopenEuler / iSulad

内容风险标识