-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker/docker#27484-check if sysctls are used in host network mode. #1138
Conversation
PTAL @crosbymichael |
7a30894
to
2a823be
Compare
Sorry about it, I have added it. |
2a823be
to
1144d8a
Compare
if err != nil { | ||
return fmt.Errorf("read soft link %q error", path) | ||
} | ||
if destOfContainer == destOfCurrentProcess { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a helper method to compare namespace links?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, the logic is a little complex.
c307ab2
to
3ce3ea5
Compare
PTAL |
return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", s) | ||
} | ||
if config.Namespaces.PathOf(configs.NEWNET) != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can do this:
if path := config.Namespaces.PathOf(configs.NEWNET); path != "" {
if err := checkHostNs(s, path); err != nil {
return err
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
got it.
Signed-off-by: Ce Gao <ce.gao@outlook.com>
3ce3ea5
to
bc84f83
Compare
Signed-off-by: Ce Gao <ce.gao@outlook.com>
PTAL |
@gaocegege I was testing an update to
|
@@ -125,14 +125,36 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error { | |||
} | |||
} | |||
if strings.HasPrefix(s, "net.") { | |||
if config.Namespaces.Contains(configs.NEWNET) { | |||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yeah, this is a bug. I'll make a PR to fix it.
ref moby/moby#27484
Signed-off-by: Ce Gao ce.gao@outlook.com