fix(BA-4889): fix container net_rx/net_tx stats reading host namespace counters

[fregataa]

Summary

• Check setns() return value and raise OSError on failure, preventing silent fallback to the host network namespace when entering a container's netns fails
• Handle OSError from netstat_ns() in gather_container_measures() to gracefully skip containers with inaccessible namespaces
• Extract _get_libc() helper from setns() so tests can mock the libc layer
• Add real namespace switching tests in TestNetstatNsWork using unshare --net subprocess

Reproduction

Running psutil.net_io_counters() after valid vs invalid setns() in a privileged container with unshare --net:

Case	bytes_recv	bytes_sent	total
1) Host namespace (baseline)	404,861	11,301	416,162
2) Valid setns() (container ns)	0	0	0
3) Invalid setns(fd=-1), unchecked	405,081	11,301	416,382

• Valid fd → enters new namespace → counters are 0 (no traffic)
• Invalid fd → setns() returns -1 but old code didn't check → stays in host namespace → reads host-level counters

This is the root cause of the stat spikes: when setns() silently fails, psutil sums cumulative bytes across all host interfaces.

Thread pool and namespace safety

The agent runs as a daemon process (aiotools.start_server with daemon=True), so ProcessPoolExecutor cannot spawn children. netstat_ns() always takes the thread pool path (run_in_executor(None, ...)). Container stat collection is sequential (await per container), so only one namespace switch happens at a time.

setns() is per-thread state — threads don't interfere with each other's namespace. If setns() succeeds in __enter__ (returns 0), the thread is guaranteed to be in the correct target namespace. The return value check is sufficient to prevent wrong readings:

Scenario	Effect	Mitigation
__enter__ setns fails	Stays in host ns, would read host counters	return value check → OSError → reading blocked
__enter__ setns succeeds	In correct target ns	No issue
__exit__ restore fails	Thread can't return to host ns	Warning logged; next __enter__ will enter correct target regardless

Test plan

• pants fmt — passed
• pants fix — passed
• pants lint — passed
• pants check — passed
• pants test tests/unit/common/test_netns.py — passed
• pants test tests/unit/agent/test_docker_intrinsic.py — passed
• Verify on a live agent that container net_rx/net_tx values are stable and no longer spike

Resolves BA-4889

[Copilot]

Pull request overview

Fixes incorrect container net_rx/net_tx spikes caused by silently failing network-namespace entry (falling back to host counters), and adds a defensive rate outlier clamp in stats to suppress physically impossible network-rate jumps.

Changes:

• Make setns() raise OSError when the underlying libc call fails; log (non-fatal) failures when restoring the original namespace.
• Rework netstat_ns() execution strategy and add handling for setns() failures while collecting container net stats.
• Add rate_ceiling support to MovingStatistics / measurements and introduce unit tests for netns failure and rate clamping behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/unit/common/test_netns.py	Adds coverage for setns() failure/success behavior.
tests/unit/agent/test_stats.py	Adds tests for MovingStatistics(rate_ceiling=...) clamp semantics.
tests/unit/agent/test_docker_intrinsic.py	Adds coverage ensuring netstat_ns_work() propagates setns/nsenter errors.
src/ai/backend/common/netns.py	Implements libc caching, errno-aware setns() error handling, and safer __exit__() cleanup/logging.
src/ai/backend/agent/stats.py	Threads rate_ceiling through measurements/metrics and clamps extreme rates in MovingStatistics.rate.
src/ai/backend/agent/docker/intrinsic.py	Adds a fork-based netns stats path and applies a network rate ceiling to net_rx/net_tx metrics.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.