debug commit

Signed-off-by: fahed dorgaa <fahed.dorgaa@gmail.com>
containerd · Oct 23, 2023 · b30f9c9 · b30f9c9
1 parent f8903ed
commit b30f9c9
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 11 deletions.
diff --git a/pkg/cmd/container/create.go b/pkg/cmd/container/create.go
@@ -21,15 +21,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net/url"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"strings"
-
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/containers"
@@ -43,17 +34,30 @@ import (
 	"github.com/containerd/nerdctl/pkg/flagutil"
 	"github.com/containerd/nerdctl/pkg/idgen"
 	"github.com/containerd/nerdctl/pkg/imgutil"
+	"github.com/containerd/nerdctl/pkg/infoutil"
 	"github.com/containerd/nerdctl/pkg/inspecttypes/dockercompat"
 	"github.com/containerd/nerdctl/pkg/labels"
 	"github.com/containerd/nerdctl/pkg/logging"
 	"github.com/containerd/nerdctl/pkg/mountutil"
 	"github.com/containerd/nerdctl/pkg/namestore"
 	"github.com/containerd/nerdctl/pkg/platformutil"
 	"github.com/containerd/nerdctl/pkg/referenceutil"
+	"github.com/containerd/nerdctl/pkg/rootlessutil"
 	"github.com/containerd/nerdctl/pkg/strutil"
+	"github.com/containernetworking/plugins/pkg/ns"
 	dockercliopts "github.com/docker/cli/opts"
 	dockeropts "github.com/docker/docker/opts"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/rootless-containers/rootlesskit/v2/pkg/child"
+	"github.com/sirupsen/logrus"
+	"net/url"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
 )
 
 // Create will create a container.
@@ -282,6 +286,32 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa
 
 	opts = append(opts, propagateContainerdLabelsToOCIAnnotations())
 
+	detachNetNs, err := infoutil.DetectBinaryFeature("rootlesskit", "--detach-netns")
+	if err != nil {
+		return nil, nil, err
+	}
+	if rootlessutil.IsRootlessChild() && detachNetNs {
+		stateDir, err := rootlessutil.RootlessKitStateDir()
+		if err != nil {
+			return nil, nil, err
+		}
+
+		if err := ns.WithNetNSPath(filepath.Join(stateDir, "netns"), func(_ ns.NetNS) error {
+			// verified that I entered detach ns
+			containerDetachNetNs := filepath.Join(stateDir, fmt.Sprintf("netns-%s", id))
+			if err := child.NewNetNsWithPathWithoutEnter(containerDetachNetNs); err != nil {
+				return err
+			}
+			opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{
+				Type: specs.NetworkNamespace,
+				Path: containerDetachNetNs,
+			}))
+			return nil
+		}); err != nil {
+			return nil, nil, err
+		}
+	}
+
 	var s specs.Spec
 	spec := containerd.WithSpec(&s, opts...)
 
@@ -418,7 +448,7 @@ func withNerdctlOCIHook(cmd string, args []string) (oci.SpecOpts, error) {
 	args = append([]string{cmd}, append(args, "internal", "oci-hook")...)
 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
 		if s.Hooks == nil {
-			s.Hooks = &specs.Hooks{}
+			s.Hooks = new(specs.Hooks)
 		}
 		crArgs := append(args, "createRuntime")
 		s.Hooks.CreateRuntime = append(s.Hooks.CreateRuntime, specs.Hook{

diff --git a/pkg/ocihook/ocihook.go b/pkg/ocihook/ocihook.go
@@ -43,6 +43,7 @@ import (
 	rlkclient "github.com/rootless-containers/rootlesskit/pkg/api/client"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netns"
+	"runtime"
 )
 
 const (
@@ -422,10 +423,15 @@ func onCreateRuntime(opts *handlerOpts) error {
 			ExtraHosts: opts.extraHosts,
 			Name:       opts.state.Annotations[labels.Name],
 		}
+		runtime.LockOSThread()
+		// nsents verified here we are in detached netwoprk ns
+		// nsPath verified is pointing to the nested detached ns
+		// user ns is the detch user ns
 		cniRes, err := opts.cni.Setup(ctx, opts.fullID, nsPath, namespaceOpts...)
 		if err != nil {
 			return fmt.Errorf("failed to call cni.Setup: %w", err)
 		}
+		runtime.UnlockOSThread()
 		cniResRaw := cniRes.Raw()
 		for i, cniName := range opts.cniNames {
 			hsMeta.Networks[cniName] = cniResRaw[i]

diff --git a/pkg/rootlessutil/parent_linux.go b/pkg/rootlessutil/parent_linux.go
@@ -93,7 +93,7 @@ func ParentMain(hostGatewayIP string) error {
 		"-r/",     // root dir (busybox nsenter wants this to be explicitly specified),
 		"-w" + wd, // work dir
 		"--preserve-credentials",
-		"-m", "-n", "-U",
+		"-m", "-U",
 		"-t", strconv.Itoa(childPid),
 		"-F", // no fork
 	}