Merge pull request #30 from ccojocar/optional-host-pid

Add an option to skip the check that a container runs into the host PID namespace

pkg/apparmor/apparmor_linux.go

@@ -128,7 +128,7 @@ func (a *AppArmor) LoadPolicy(fileName string) error {
 
 	err = cmd.Run()
 	if err != nil {
-		return err
+		return fmt.Errorf("parsing profile: %w", err)
 	}
 
 	runtime.LockOSThread()

pkg/hostop/mount_linux.go

@@ -32,6 +32,7 @@ func NewMountHostOp(opts ...HostOpOption) HostOp {
 	o := hostOpOpts{
 		logger:          logr.Discard(),
 		insideContainer: InsideContainer,
+		hostPidCheck:    func() bool { return true },
 	}
 
 	o.applyOpts(opts...)
@@ -50,16 +51,16 @@ func NewMountHostOp(opts ...HostOpOption) HostOp {
 func (m *mountHostOp) Do(action func() error) error {
 	if m.opts.insideContainer() {
 		m.opts.logger.V(2).Info("running inside container")
+		if m.opts.hostPidCheck() {
+			hostPidNs, err := HostPidNamespace()
+			if err != nil {
+				return fmt.Errorf("identifying pid namespace: %w", err)
+			}
 
-		hostPidNs, err := HostPidNamespace()
-		if err != nil {
-			return fmt.Errorf("identifying pid namespace: %w", err)
-		}
-
-		if !hostPidNs {
-			return fmt.Errorf("must run within host PID namespace: %w", err)
+			if !hostPidNs {
+				return fmt.Errorf("must run within host PID namespace: %w", err)
+			}
 		}
-
 		return m.containerDo(action)
 	}
 

pkg/hostop/options.go

@@ -7,6 +7,7 @@ import (
 type hostOpOpts struct {
 	logger          logr.Logger
 	insideContainer func() bool
+	hostPidCheck    func() bool
 }
 
 type HostOpOption func(*hostOpOpts)
@@ -40,3 +41,11 @@ func WithAssumeHost() HostOpOption {
 		o.insideContainer = func() bool { return false }
 	}
 }
+
+// WithAssumeHostPidNamespace ensures that HostOp always assume that the container
+// runs into the host PID namespace.
+func WithAssumeHostPidNamespace() HostOpOption {
+	return func(o *hostOpOpts) {
+		o.hostPidCheck = func() bool { return false }
+	}
+}