Allow containers to use both host network and user namespace

[HirazawaUi]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This is the implementation of KEP-5607 in cri-o.

In KEP-5607, we allow containers to use both user namespace and host network simultaneously. This requires us to change the sys mount to a bind mount when the user employs both user namespace and host network, because mounting sys in the standard way is a privileged operation, which would prevent the container from using the standard /sys mount.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Allow containers to use both host network and user namespace.

Summary by CodeRabbit

• Bug Fixes & Improvements
  • System filesystem mounts inside containers now respect user-namespace settings, improving isolation and compatibility when host networking is used.
  • Sandbox ID mappings are consulted during container filesystem setup to ensure consistent ownership and access behavior across environments.
  • Container startup now fails early on mapping retrieval errors, adding clearer error handling for more reliable cross-platform initialization.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

Hi @HirazawaUi. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Fetches sandbox ID mappings before preparing sysfs mounts and passes both the sandbox and mappings into addSysfsMounts; addSysfsMounts signature updated across platforms and Linux sysfs mounting now branches based on presence of user namespace mappings.

Changes

Cohort / File(s)	Summary
Container creation flow server/container_create.go	Retrieve sandbox ID mappings via s.getSandboxIDMappings(ctx, sb) with error handling, then call addSysfsMounts(ctr, containerConfig, hostNet, sb, containerMappings) instead of the previous call.
Function signature updates server/container_create_freebsd.go, server/container_create_linux.go	Change addSysfsMounts signature to add parameters sb *sandbox.Sandbox and containerIDMappings *idtools.IDMappings; reorder imports in FreeBSD file and add the extra parameters to callers.
User namespace-aware sysfs mounting (Linux) server/container_create_linux.go	Introduce usernsEnabled := containerIDMappings != nil and branch host-network /sys mounting: when userns enabled, use a read-only bind mount from /sys (ro,rbind); otherwise mount /sys as sysfs and add cgroup /sys mount as before.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify all callers of addSysfsMounts updated to the new signature.
• Inspect s.getSandboxIDMappings error handling and propagation.
• Review Linux mount branching for correctness (bind vs sysfs) and mount options.
• Confirm FreeBSD stub/signature change is consistent and builds cleanly.

Poem

🐇 I hopped through mounts at break of day,
I fetched the mappings, then found my way,
If userns sleeps, sysfs sings free,
If userspace wakes, I bind gently—whee!
New paths, light paws, a small hooray.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective of the PR: enabling containers to use both host network and user namespace simultaneously, which is the core feature implemented across the changed files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[saschagrunert]

Thank youf for the PR @HirazawaUi, please sign-off your commit.

/ok-to-test

[giuseppe]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, HirazawaUi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

/lgtm cancel

Please fix the linter: https://github.com/cri-o/cri-o/actions/runs/19898717159/job/57037105155?pr=9634

[codecov]

Codecov Report

❌ Patch coverage is 64.51613% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.90%. Comparing base (78732e4) to head (6bb8a38).
⚠️ Report is 34 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9634      +/-   ##
==========================================
- Coverage   66.97%   66.90%   -0.07%     
==========================================
  Files         205      205              
  Lines       28826    28842      +16     
==========================================
- Hits        19306    19298       -8     
- Misses       7867     7890      +23     
- Partials     1653     1654       +1     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

server/container_create_linux.go (1)

870-871: Tidy up addSysfsMounts parameters and userns detection (optional)

Two minor cleanups you might consider:

1. sb *sandbox.Sandbox is currently unused in this helper; if you don’t plan to use it soon, you could drop it to keep the function signature minimal and avoid potential linter complaints about unused parameters.
2. If there’s any chance of passing an “empty” but non‑nil IDMappings, usernsEnabled could track that more explicitly:

-func addSysfsMounts(ctr ctrfactory.Container, containerConfig *types.ContainerConfig, hostNet bool, sb *sandbox.Sandbox, containerIDMappings *idtools.IDMappings) {
-    usernsEnabled := containerIDMappings != nil
+func addSysfsMounts(ctr ctrfactory.Container, containerConfig *types.ContainerConfig, hostNet bool, sb *sandbox.Sandbox, containerIDMappings *idtools.IDMappings) {
+    usernsEnabled := containerIDMappings != nil && !containerIDMappings.Empty()

Not mandatory, but would make the intent around “userns actually in use” a bit clearer.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dfe7542 and 6bb8a38.

📒 Files selected for processing (3)

• server/container_create.go (1 hunks)
• server/container_create_freebsd.go (2 hunks)
• server/container_create_linux.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• server/container_create.go
• server/container_create_freebsd.go

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

• server/container_create_linux.go

🧬 Code graph analysis (1)

server/container_create_linux.go (2)

internal/oci/container.go (1)

• Container (44-92)

internal/factory/container/container.go (1)

• Container (40-142)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)

• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
• GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
• GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
• GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide

🔇 Additional comments (1)

server/container_create_linux.go (1)

870-898: HostNetwork + userns handling for /sys and cgroups looks correct

The new usernsEnabled branch that bind‑mounts /sys for hostNetwork pods with user namespaces cleanly avoids re‑mounting sysfs in that configuration, while the non‑userns path still mounts a fresh sysfs plus the cgroup filesystem as before. This keeps existing behavior for non‑userns pods and aligns with the KEP intent for hostNetwork+userns pods, including interaction with hasCgroupMount / setupSystemd.

[HirazawaUi]

Please fix the linter: https://github.com/cri-o/cri-o/actions/runs/19898717159/job/57037105155?pr=9634

Thanks for the heads up. The lint error has been fixed.

[bitoku]

/lgtm

[bitoku]

/retest

[bitoku]

/retest

[haircommander]

I think this would be better as hostUser and do the usernsEnabled check in the caller. WDYT?

[HirazawaUi]

Of course. This code was modified in PR #9660, and some additional cleanup was performed.