-
Notifications
You must be signed in to change notification settings - Fork 623
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable other containers to join network namespace of the none network #3443
base: main
Are you sure you want to change the base?
Conversation
Yes if it works with Docker. Needs an integration test. |
} | ||
|
||
resolvConfPath := filepath.Join(stateDir, "resolv.conf") | ||
copyFileContent("/etc/resolv.conf", resolvConfPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would make containers using none
to now use the host resolv.conf
, right?
This does not seem right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
checked with docker and they have it for none, personally i dont think it should be part of none, but if it is not attaching to a none network namespace (custom use cases) seems to throw error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not look like they have it here...
docker run --net none debian cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 192.168.5.2
search .
# Based on host file: '/run/systemd/resolve/resolv.conf' (legacy)
# Overrides: []
vs.
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is my output (docker 25)
docker run --network none alpine:latest cat /etc/resolv.conf
<redacted>
nameserver 10.4.4.10
options timeout:1 attempts:2
sudo docker run --network none alpine:latest cat /etc/hostname
9d25f3a65441
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to be fair i tested in another system i got same as yours too, so not sure which one is correct, but for some system is taking from /run/systemd/resolv/resolv.conf?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It likely does not matter much, since there will be no network anyhow. Concern here is more about information leakage.
I would suggest we either leave it empty or mimic the behavior of cniNetworkManager
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if information leak is a concern in network none, if one can ssh from host they have access to /etc/resolv.conf of the host anyway.
I like the idea of mimicing the behavior of cniNetworkManager, that seems to take into account adding host, dns etc.
while we are on the topic, if we use --network container:containerd id with
nameServers = m.netOpts.DNSServers
searchDomains = m.netOpts.DNSSearchDomains
dnsOptions = m.netOpts.DNSResolvConfOptions
dont we want to add them to the resolv.conf, similarly if --network host with these options, not sure they are getting added
[shubhum@lima-finch nerdctl]$ sudo nerdctl run --network host --hostname default --dns test --dns-search testname alpine:latest cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search ant.amazon.com amazon.com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed this configs to some generic default values
e99fd1d
to
29760dc
Compare
@Shubhranshu153 will be slow to review - travelling right now. Will do asap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a note about WriteDefaultResolveConf
.
Otherwise, these changes seem good and will bring us more in line with what docker does, so +1.
This needs tests - especially around your use case of another container using the none container net.
@@ -150,6 +150,11 @@ type noneNetworkManager struct { | |||
client *containerd.Client | |||
} | |||
|
|||
func WriteDefaultResolvConf(filePath string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should use the existing resolvconf.Build
.
It is not currently safe to use it (not atomic, nor locking), but it is better IMO than duplicating the problem.
} | ||
|
||
resolvConfPath := filepath.Join(stateDir, "resolv.conf") | ||
if err := WriteDefaultResolvConf(resolvConfPath); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See note above.
will add tests. |
1a627e3
to
e80e165
Compare
so overall behaviour wise it is like docker but the configs dont still match, which is probably fine as we dont expose host details if we add specifically the things we want to expose. |
e80e165
to
516b8c0
Compare
@apostasie added the tests, for the configs i have made it docker non compat because of the explanation above. |
a2a9820
to
ebc6d87
Compare
Thanks @Shubhranshu153 I left a few comments on the tests. I will give this a spin locally later today too, but otherwise looks good. |
c64c4f7
to
cdb4929
Compare
e2dc511
to
eba7437
Compare
@apostasie PTAL |
eba7437
to
3bc581d
Compare
Signed-off-by: Shubharanshu Mahapatra <shubhum@amazon.com>
3bc581d
to
b477824
Compare
@AkihiroSuda @apostasie
and you can get them added
So added these functionalities to none network, want some guidance if am missing functionality wise, i reused the code from host network as it seems it just used values from netopts. But i plan to refactor it to a single function (cleanup wise) |
Will have a look as time allows. |
@AkihiroSuda @apostasie |
@@ -124,6 +124,7 @@ require ( | |||
github.com/sirupsen/logrus v1.9.3 // indirect | |||
github.com/spaolacci/murmur3 v1.1.0 // indirect | |||
github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect | |||
github.com/stretchr/objx v0.5.2 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to run go mod tidy use the nerdctl test framework and fix a few things in code, just checking if my logic is correct to add the options DNS and host options for none network and probably need to be done for host network as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you added it initially with #3443 (review)
But really it should not be necessary.
Can you try removing the line from go.mod then doing go mod tidy again?
Will look at the rest later today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, the current version is more for making sure the direction is correct. I will be having another pr using the new test framework and updates for the host network config.
I am a bit confused about the thing overall.
So, Docker does not seem to allow starting a container using the network of a paused container - which does make sense. We should still support using a started container with --net none (or host) as a network for another container though (doesn't seem to work currently). |
And sorry for the late review. |
The container i am trying to connect is a pause container (the container is in running state) which is basically sleep infinity container with a non network. From what I understand it is used to create a network namespace to which other containers can join and share. |
Sorry for the confusion :-) I thought by "pause container" you meant "created". Looking again. |
@@ -179,9 +248,75 @@ func (m *noneNetworkManager) InternalNetworkingOptionLabels(_ context.Context) ( | |||
|
|||
// ContainerNetworkingOpts Returns a slice of `oci.SpecOpts` and `containerd.NewContainerOpts` which represent | |||
// the network specs which need to be applied to the container with the given ID. | |||
func (m *noneNetworkManager) ContainerNetworkingOpts(_ context.Context, _ string) ([]oci.SpecOpts, []containerd.NewContainerOpts, error) { | |||
func (m *noneNetworkManager) ContainerNetworkingOpts(_ context.Context, containerID string) ([]oci.SpecOpts, []containerd.NewContainerOpts, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am increasingly uncomfortable with the amount of duplication between ContainerNetworkingOpts
implementations (and even more so about the differences in there). But then, refactoring that should probably be a separate endeavor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really as I was writing it I too saw that so I plan to refactor it but before that just wanted to confirm the direction so that the effort is not put in the wrong place
@Shubhranshu153 I think directionally that is ok. Though, I would suggest really strong testing on this in making sure we are truly aligned with Docker:
Also, I am wondering if hosts files are now going to updated for
|
As I said in my comment, I am also concerned about the amount of duplication / differences between network managers (specifically ContainerNetworkingOpts). We really need to clean that stuff up eventually and revise our approach there. |
Yes testing needs to be rigorous not to break the promise of isolation as in that case it will be sec vulnerability. Will send out a revision once I clean and have some robust testing in place. Thanks |
Awesome. |
Fixes: Unable to attach to container network created with none
Description
There is a use case with pause containers, where other containers attaches to the pause container network. The pause container is launched with network none. This requires the pause container have a copy of hosts, hostname and resolv conf.
It also seems to share a net namespace, the containers must also share a user namespace.
The solution is to have a copy of the hosts/hostname and resolv.conf. In case of container network, add userns and netns both.
Want to confirm is this an acceptable solution and i can send out an PR for it.
Steps to reproduce the issue
Describe the results you received and expected
It would display errors with resolv.conf not found and once those configs are added would see an error with sys fs.
Expected result is to be able to connect to the network of pause container.
What version of nerdctl are you using?
1.7.5
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
lima vm (fedora image), but can be reproduced in any architecture.