runtime-rs: fix is_pid_namespace_enabled check

We should test is_pid_namespace_enabled before amending the container spec, where the pid namespace path is cleared and resulting sandbox_pidns to always being false. Fixes: #5881 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2025-12-18 06:44:23 +01:00 · 2022-12-12 09:52:27 +00:00
parent 67e82804c5
commit e9e82ce28b
1 changed files with 1 additions and 1 deletions
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -81,8 +81,8 @@ impl Container {
        let mut inner = self.inner.write().await;
        let toml_config = self.resource_manager.config().await;
        let config = &self.config;
-        amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("amend spec")?;
        let sandbox_pidns = is_pid_namespace_enabled(&spec);
+        amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("amend spec")?;

        // handler rootfs
        let rootfs = self