-
Notifications
You must be signed in to change notification settings - Fork 108
Conversation
Setting this flag will create a number of bind mounts into /tmp/warden inside the container such that warden can run inside of a container.
Nested warden forwards both inbound and outbound traffic on interfaces that match the "w-+" wildcard. This means that inbound traffic is dropped by default. This change makes sure that traffic that comes in via the default outbound interface is always allowed.
built a cf-release using this branch. yeti passed: 76 examples, 2 failures, 13 pendings the two failures are about loggregator, not related with warden. maybe it is because of missing port forwarding rules on ELB. |
if File.exist?("/proc/sys/net/ipv4/ip_local_port_range") | ||
File.read("/proc/sys/net/ipv4/ip_local_port_range").split.map(&:to_i) | ||
else | ||
return 32768, 61000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in newer kernel , /proc/sys/net/ipv4/ip_local_port_range is not exported inside container anymore.
so we should check whether it exist before provide some default values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kaixiang @syslxg — Please add tests with this commit. @mariash and I commented out lines 229 through 242, starting with We'd be happy to help you out on this. Please let us know. Thanks. |
@ryantang @andreasmaier @mariash we added tests for nested-warden, and answered your comments above. |
@@ -194,38 +195,49 @@ def perform_rsync(src_path, dst_path) | |||
sh *args | |||
end | |||
|
|||
def write_bind_mount_commands(request) | |||
return if request.bind_mounts.nil? || request.bind_mounts.empty? | |||
def add_bind_mount(file, src_path, dst_path, mode) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After pairing review the PR this morning with @dsabeti @syslxg , we all agree to merge the pull request in the review. as far as we fix the src_path check and revert some unused commit, and add an outbound traffic test for nested warden. all done and the tests pass. so we merge it now. contact @dsabeti if you have seen some issue when it's out of our time |
merge nested warden into master
merge nested warden into master