Merge pull request #1057 from 89luca89/feature/ipc_flag

create/run: add ipc flag to create and run commands

Author: AkihiroSuda

README.md

@@ -480,6 +480,7 @@ Logging flags:
           - :whale: `--log-opt=max-file=<MAX-FILE>`: The maximum number of log files that can be present. If rolling the logs creates excess files, the oldest file is removed. Only effective when `max-size` is also set. A positive integer. Defaults to 1.
 
 Shared memory flags:
+- :whale: `--ipc`: IPC namespace to use
 - :whale: `--shm-size`: Size of `/dev/shm`
 
 GPU flags:

cmd/nerdctl/run.go

@@ -138,6 +138,10 @@ func setCreateFlags(cmd *cobra.Command) {
 	cmd.Flags().StringP("hostname", "h", "", "Container host name")
 	// #endregion
 
+	cmd.Flags().String("ipc", "", `IPC namespace to use ("host"|"private")`)
+	cmd.RegisterFlagCompletionFunc("ipc", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"host", "private"}, cobra.ShellCompDirectiveNoFileComp
+	})
 	// #region cgroups, namespaces, and ulimits flags
 	cmd.Flags().Float64("cpus", 0.0, "Number of CPUs")
 	cmd.Flags().StringP("memory", "m", "", "Memory limit")
@@ -744,6 +748,33 @@ func generateRootfsOpts(ctx context.Context, client *containerd.Client, platform
 	return opts, cOpts, ensured, nil
 }
 
+// withBindMountHostIPC replaces /dev/shm and /dev/mqueue  mount with rbind.
+// Required for --ipc=host on rootless.
+//
+func withBindMountHostIPC(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+	for i, m := range s.Mounts {
+		if path.Clean(m.Destination) == "/dev/shm" {
+			newM := specs.Mount{
+				Destination: "/dev/shm",
+				Type:        "bind",
+				Source:      "/dev/shm",
+				Options:     []string{"rbind", "nosuid", "noexec", "nodev"},
+			}
+			s.Mounts[i] = newM
+		}
+		if path.Clean(m.Destination) == "/dev/mqueue" {
+			newM := specs.Mount{
+				Destination: "/dev/mqueue",
+				Type:        "bind",
+				Source:      "/dev/mqueue",
+				Options:     []string{"rbind", "nosuid", "noexec", "nodev"},
+			}
+			s.Mounts[i] = newM
+		}
+	}
+	return nil
+}
+
 // withBindMountHostProcfs replaces procfs mount with rbind.
 // Required for --pid=host on rootless.
 //

cmd/nerdctl/run_linux.go

@@ -175,5 +175,17 @@ func setPlatformOptions(opts []oci.SpecOpts, cmd *cobra.Command, id string) ([]o
 		opts = append(opts, oci.WithRdt(rdtClass, "", ""))
 	}
 
+	ipc, err := cmd.Flags().GetString("ipc")
+	if err != nil {
+		return nil, err
+	}
+	// if nothing is specified, or if private, default to normal behavior
+	if ipc == "host" {
+		opts = append(opts, oci.WithHostNamespace(specs.IPCNamespace))
+		opts = append(opts, withBindMountHostIPC)
+	} else if ipc != "" && ipc != "private" {
+		return nil, fmt.Errorf("error: %v", "invalid ipc value, supported values are 'private' or 'host'")
+	}
+
 	return opts, nil
 }

cmd/nerdctl/run_linux_test.go

@@ -71,6 +71,18 @@ func TestRunPidHost(t *testing.T) {
 	base.Cmd("run", "--rm", "--pid=host", testutil.AlpineImage, "ps", "auxw").AssertOutContains(strconv.Itoa(pid))
 }
 
+func TestRunIpcHost(t *testing.T) {
+	t.Parallel()
+	base := testutil.NewBase(t)
+	testFilePath := filepath.Join("/dev/shm",
+		fmt.Sprintf("%s-%d-%s", testutil.Identifier(t), os.Geteuid(), base.Target))
+	err := os.WriteFile(testFilePath, []byte(""), 0644)
+	assert.NilError(base.T, err)
+	defer os.Remove(testFilePath)
+
+	base.Cmd("run", "--rm", "--ipc=host", testutil.AlpineImage, "ls", testFilePath).AssertOK()
+}
+
 func TestRunAddHost(t *testing.T) {
 	t.Parallel()
 	base := testutil.NewBase(t)