Skip to content

Validate userns container config is consistent with sandbox userns config #7882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samuelkarp merged 3 commits into from
Dec 31, 2022
Merged

Validate userns container config is consistent with sandbox userns config #7882

samuelkarp merged 3 commits into from
Dec 31, 2022

Conversation

@rata
Copy link
Contributor

@rata rata commented Dec 30, 2022
edited
Loading

This is a follow-up to address one item of this comment by @fuweid: #7679 (review)

The first commit fixes an issue running the tests (assert vs require, so the function result can be nil by mistake instead of failing early).

The second commit is the follow-up itself. I didn't use reflect, as it might be too slow to use on the container creation path. But this means we need to update sameUsernsConfig() if the runtime.UserNamespace type changes. Let me know if you prefer to use reflect here.

The third commit just removes a variable that is not really helpful. It is a cosmetic change, no functional change.

@rata
cri: Fix assert vs require in tests
a44b356 
Currently we require that c.containerSpec() does not return an error
if test.err is not set.

However, if the require fails (i.e. it indeed returned an error) the
rest of the code is executed anyways. The rest of the code assumes it
did not return an error (so code assumes spec is not nil). This fails
miserably if it indeed returned an error, as spec is nil and go crashes
while running the unit tests.

Let's require it is not an error, so code does not continue to execute
if that fails and go doesn't crash.

In the test.err case is not harmful the bug of using assert, but let's
switch it to require too as that is what we really want.

Signed-off-by: Rodrigo Campos <[email protected]>
@k8s-ci-robot
Copy link

k8s-ci-robot commented Dec 30, 2022

Hi @rata. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rata
cri: Verify userns container config is consisten with sandbox
4eed20f 
The sandbox and container both have the userns config. Lets make sure
they are the same, therefore consistent.

Signed-off-by: Rodrigo Campos <[email protected]>
@rata rata force-pushed the rata/userns-stateless-pods branch from 56b5946 to 2752da6 Compare December 30, 2022 18:08
@rata
cri: Simplify parseUsernsIDs()
72ef986 
Signed-off-by: Rodrigo Campos <[email protected]>
@rata rata force-pushed the rata/userns-stateless-pods branch from 2752da6 to 72ef986 Compare December 30, 2022 19:50
@rata
Copy link
Contributor Author

rata commented Dec 30, 2022

CI failures are unrelated, but pushing again to trigger a retest

@samuelkarp
Copy link
Member

samuelkarp commented Dec 31, 2022

/ok-to-test

@samuelkarp samuelkarp added area/cri Container Runtime Interface (CRI) cherry-pick/sbserver labels Dec 31, 2022
@samuelkarp samuelkarp merged commit d769f03 into containerd:main Dec 31, 2022
@rata rata deleted the rata/userns-stateless-pods branch December 31, 2022 17:59
mxpv added a commit to mxpv/containerd that referenced this pull request Jan 17, 2023
@mxpv
Backport unit test from containerd#7882 to sbserver
666eb14 
Signed-off-by: Maksym Pavlenko <[email protected]>
@mxpv mxpv mentioned this pull request Jan 17, 2023
Merged
mxpv added a commit to mxpv/containerd that referenced this pull request Jan 17, 2023
@mxpv
Backport unit test from containerd#7882 to sbserver
b0d7a96 
Signed-off-by: Maksym Pavlenko <[email protected]>
@mxpv mxpv added cherry-picked/sbserver Changes are backported to sbserver and removed cherry-pick/sbserver labels Jan 19, 2023
jsturtevant pushed a commit to jsturtevant/containerd that referenced this pull request Sep 21, 2023
@mxpv @jsturtevant
Backport unit test from containerd#7882 to sbserver
7a4dc73 
Signed-off-by: Maksym Pavlenko <[email protected]>
kiashok pushed a commit to kiashok/containerd that referenced this pull request Oct 23, 2024
@mxpv
Backport unit test from containerd#7882 to sbserver
649dc88 
Signed-off-by: Maksym Pavlenko <[email protected]>
kiashok added a commit to kiashok/containerd that referenced this pull request Oct 23, 2024
@kiashok
Merged PR 7482211: Update containerd fork-external/main with upstream…
d66a29a 
… main

Updates ADO containerd fork-external/main with upstream containerd main @commit hash: f9f8455
containerd@f9f8455

Additional changes in the PR:
- update linux container image version
- remove copying LICENSE file in shared-build-stages.yml
- additions to .gdnsuppress

Related work items: containerd#5674, containerd#7393, containerd#7661, containerd#7685, containerd#7810, containerd#7850, containerd#7861, containerd#7879, containerd#7880, containerd#7881, containerd#7882, containerd#7883, containerd#7886, containerd#7887, containerd#7888, containerd#7891, containerd#7892, containerd#7893, containerd#7894, containerd#7903, containerd#7904, containerd#7905, containerd#7906, containerd#7907, containerd#7908, containerd#7911, containerd#7913, containerd#7914, containerd#7917, containerd#7925, containerd#7927, containerd#7928, containerd#7929, containerd#7932, containerd#7935, containerd#7943, containerd#7946, containerd#7948, containerd#7957, containerd#7958, containerd#7960, containerd#7963, containerd#7969, containerd#7970, containerd#7973
kiashok added a commit to kiashok/containerd that referenced this pull request Oct 23, 2024
@kiashok
Merged PR 7534707: Update fork-external/main with upstream containerd…
f02f374 
…/main

Update fork-external/main with upstream containerd/containerd/main at commit hash 3d32da8

Related work items: containerd#5674, containerd#7129, containerd#7393, containerd#7661, containerd#7685, containerd#7810, containerd#7850, containerd#7861, containerd#7882, containerd#7883, containerd#7886, containerd#7891, containerd#7892, containerd#7893, containerd#7903, containerd#7904, containerd#7905, containerd#7906, containerd#7907, containerd#7908, containerd#7911, containerd#7913, containerd#7914, containerd#7917, containerd#7925, containerd#7927, containerd#7928, containerd#7929, containerd#7932, containerd#7935, containerd#7943, containerd#7946, containerd#7948, containerd#7957, containerd#7958, containerd#7959, containerd#7960, containerd#7963, containerd#7968, containerd#7969, containerd#7970, containerd#7973, containerd#7985, containerd#7987, containerd#7994, containerd#8005
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

Assignees

No one assigned

Labels

area/cri Container Runtime Interface (CRI) cherry-picked/sbserver Changes are backported to sbserver ok-to-test

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rata @k8s-ci-robot @samuelkarp @dmcgowan @mxpv