[rootless] Support detach netns #2535
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fahedouch
force-pushed
the
support-detach-netns
branch
from
8e7da61 to
14b86b1
Compare
fahedouch
force-pushed
the
support-detach-netns
branch
2 times, most recently
from
57b93c1 to
42adb17
Compare
|
Uncompilable |
Sorry I forgot to push go mod graph updates |
|
CI didn't run, probably due to merge conflict |
fahedouch
force-pushed
the
support-detach-netns
branch
5 times, most recently
from
260bbec to
ece4d66
Compare
Signed-off-by: fahed dorgaa <fahed.dorgaa@gmail.com>
Signed-off-by: fahed dorgaa <fahed.dorgaa@gmail.com>
fahedouch
force-pushed
the
support-detach-netns
branch
2 times, most recently
from
db7a762 to
ffffa76
Compare
https://github.com/containerd/nerdctl/actions/runs/6625309327/job/17996040183?pr=2535 |
AkihiroSuda
reviewed
Oct 26, 2023
|
Still doesn't compile (for |
fahedouch
force-pushed
the
support-detach-netns
branch
from
5724344 to
f1342cd
Compare
Signed-off-by: fahed dorgaa <fahed.dorgaa@gmail.com>
fahedouch
force-pushed
the
support-detach-netns
branch
from
0c8aad1 to
436a18b
Compare
AkihiroSuda
reviewed
Oct 29, 2023
| runtime.LockOSThread() | ||
| // nsents verified here we are in detached netwoprk ns | ||
| // nsPath verified is pointing to the nested detached ns | ||
| // user ns is the detch user ns | ||
| cniRes, err := opts.cni.Setup(ctx, opts.fullID, nsPath, namespaceOpts...) |
There was a problem hiding this comment.
time="2023-10-29T13:30:10Z" level=fatal msg="failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time=\"2023-10-29T13:30:10Z\" level=fatal msg=\"failed to call cni.Setup: plugin type=\\\"firewall\\\" failed (add): failed to list iptables chains: running [/usr/sbin/iptables -t filter -S --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)\\nPerhaps iptables or your kernel needs to be upgraded.\\n\"\nFailed to write to log, write /home/rootless/.local/share/nerdctl/1935db59/containers/nerdctl-test/0bb9ad1b47ae32ef3ffda72250edcf338ccbadf8d9572d9503e67faded379d57/oci-hook.createRuntime.log: file already closed: unknown"
https://github.com/containerd/nerdctl/actions/runs/6683660354/job/18160087021?pr=2535
There was a problem hiding this comment.
Can you dump /proc/self/status right after netns.Set to see if CAP_NET_ADMIN is gained in the namespaces?
There was a problem hiding this comment.
Maybe we need to re-exec the ocihook process to gain the caps
There was a problem hiding this comment.
There was a problem hiding this comment.
Can you dump
/proc/self/statusright afternetns.Setto see ifCAP_NET_ADMINis gained in the namespaces?
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: fffffffd7fc1feff
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
@AkihiroSuda cap_net_admin is already present right after netns.Set
There was a problem hiding this comment.
if rootlessutil.IsRootlessChild() && detachNetNs {
stateDir, err := rootlessutil.RootlessKitStateDir()
if err != nil {
return err
}
ns, err := netns.GetFromPath(filepath.Join(stateDir, "netns"))
if err != nil {
return err
}
if err = netns.Set(ns); err != nil {
return fmt.Errorf("switch to detached netns: %w", err)
}
ok, err := rootlessutil.HasCaps()
if err != nil {
return err
}
fmt.Println(ok)
hasCaps()
the above code is printing true
There was a problem hiding this comment.
Some progress in:
We can just run the hook with nsenter -n/detached/netns -- nerdctl internal oci-hook ... and call it a day.
|
#2723 will be ready soon, so let me close this PR. Thanks again for working on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By supporting detach network namespace: