docker: remove cni-plugins

[greut]

I've tried using it and failed miserably, only to fall back to installing Nomad via rpm/deb. It's probably not worth it making this image bigger with the CNI plugins if there is no possible use for them.

[multani]

I've tried using it and failed miserably

I didn't have a look yet, what issues did you have?

via rpm/deb

🤨

[greut]

I didn't have a look yet, what issues did you have?

/var/run/netns doesn't play well with bind mounts.

It's something along those lines, hashicorp/nomad#8371

rpm/deb

Now that there is a convenient way to install Nomad (and Consul), I'm only using this image for the server. For the client, it works too, but not when it starts playing with network namespaces. Kubernetes probably knows how to work around this.

[greut]

Kubernetes probably knows how to work around this.

containernetworking/plugins#69

[greut]

I also forgot to remove iptables

[multani]

rpm/deb

Now that there is a convenient way to install Nomad (and Consul), I'm only using this image for the server. For the client, it works too, but not when it starts playing with network namespaces. Kubernetes probably knows how to work around this.

Oh right, I missed the announcement of the HashiCorp APT repository somehow.

[greut]

I missed the announcement of the HashiCorp APT repository somehow.

🎉

Also, it needs the consul binary.

envoy_bootstrap: error creating bootstrap configuration for Connect proxy sidecar: exec: "consul": executable file not found in $PATH

https://github.com/hashicorp/nomad/blob/41b94eedc24d15234426da12e3eb3dbd0e260f52/client/allocrunner/taskrunner/envoybootstrap_hook.go#L175

[MatthewJohn]

@multani For what it's worth, I've just run into the same error.

Kubernetes probably knows how to work around this.

The k8s logic that you mentioned is actually just the mount configuration, in particular the "bind-propagation" configuration (https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation).
Changing my mount of /var/run/netns (or /var/run/docker/netns) to use bind-propagation shared fixed the issue :)

I think changing the docker-compose to use this should fix the issue :D :

    volumes:
      - type: bind
        source: /var/run/docker/netns
        target: /var/run/docker/netns
        bind:
          propagation: shared

For reference: https://github.com/MatthewJohn/vault-nomad-consul-terraform/blob/setup-service-mesh/modules/nomad/client/container/main.tf#L81

[multani]

Thanks for the heads-up @MatthewJohn!

TBH, I never really played with any CNI plugins until now, I'm happy to make some changes but I would need to check how I could test that beforehand 👍