-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rootless: Rearrange setup of rootless containers #3756
rootless: Rearrange setup of rootless containers #3756
Conversation
Hi @gabibeyer. Thanks for your PR. I'm waiting for a containers or openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabibeyer, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Can one of the admins verify this patch?
|
bot, add author to whitelist |
4b7b6ef
to
c971002
Compare
c971002
to
7b0e4d8
Compare
/hold |
Should not be merged until slirp4netns 0.4.0 release |
d183fb4
to
7b8be8b
Compare
☔ The latest upstream changes (presumably #2940) made this pull request unmergeable. Please resolve the merge conflicts. |
1198de9
to
486a5b9
Compare
/hold cancel |
@baude @mheon I'm having a hard time with the |
Hmm. Bad FS magic is strange... I'd more expect not finding the file at all, or a permission error, from user namespace issues... @giuseppe Any ideas here? |
20f7e70
to
5dd9d4f
Compare
☔ The latest upstream changes (presumably #3931) made this pull request unmergeable. Please resolve the merge conflicts. |
Needs a rebase. |
b684a77
to
012dbb1
Compare
☔ The latest upstream changes (presumably #4038) made this pull request unmergeable. Please resolve the merge conflicts. |
012dbb1
to
84e3213
Compare
@gabibeyer can you rebase one more time? @giuseppe @mheon : can you give an ack if the code looks good? |
libpod/container_internal_linux.go
Outdated
@@ -88,6 +88,10 @@ func (c *Container) prepare() (Err error) { | |||
c.state.NetworkStatus = networkStatus | |||
} | |||
} | |||
|
|||
if c.config.NetMode == "slirp4netns" && !c.config.PostConfigureNetNS { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be conditional on a network namespace being present
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, should only run this if createNetNSErr == nil
libpod/container_internal_linux.go
Outdated
@@ -88,6 +88,10 @@ func (c *Container) prepare() (Err error) { | |||
c.state.NetworkStatus = networkStatus | |||
} | |||
} | |||
|
|||
if c.config.NetMode == "slirp4netns" && !c.config.PostConfigureNetNS { | |||
rootlessSetupErr = c.runtime.setupRootlessNetNS(c) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Error handling flow is broken for this one - if this fails we need to report it much earlier than that return
below to ensure proper cleanup of resources on error. I think it'd be better to reuse createNetNSErr
here - it already has the right logic here.
|
||
cmd := exec.Command(path, cmdArgs...) | ||
cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we get a comment explaining what the flags we're adding here do?
Other than the error handling in |
f2013d2
to
aceb557
Compare
In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes containers#2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Update documentation to show Kata Containers support is no longer a limitation with merging of commit 486a5b9 Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994' make the network namespace bind-mount recursively shared, so the mount is back-propogated to the host. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
Add two unit tests to determine whether mounts are being listed correctly. One tests that a created container is not listed until mounted. The second checks that running containers are mounted, and then no longer listed as mounted when they stop running. The final test creates three containers, mounts two, and checks that mount correctly only lists the two mounted. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
aceb557
to
65d5a98
Compare
Thank you @gabibeyer @mheon Error handling in |
LGTM |
LGTM |
/lgtm Merging away |
This commit removes the previous cleanup in the stop functionality. It was originally added because the pipe wasn't closing on the kill to conmon, so the slirp4netns process wasn't stopping. This was fixed in this commit, and now the restart works with reentering the previous network namespace.
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
to create the tap inferface
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer gabrielle.n.beyer@intel.com