network: fix LXC_NET_NONE cleanup #3589
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We have a case where we have a nested container with LXC_NET_NONE run inside a container that's *also* got no network namespace (run by lxc-usernsexec). The "am I root" check in this function then does not suffice, since the euid of the task is 0 but it does not have privilege over its network namespace, and thus cannot do any of the restore operations: lxc foo 20201201232059.271 TRACE network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace lxc foo 20201201232059.271 ERROR network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace lxc foo 20201201232059.271 ERROR start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace Let's check that we indeed did clone the network namespace, and thus have things to restore to their correct namespace before attempting to actually restore them. I suspect it's possible we can also get rid of some of the network namespace preservation stuff in start.c in the LXC_NET_NONE case. Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
|
Heh, ci failure is, |
|
Just for reference, I had filed a request for this to be SRU'd under LP: #1918955. (and if anyone is reading... an updated 20.04 would be nice). |
|
@stgraber ^^ :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's also got no network namespace (run by
lxc-usernsexec).
The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:
lxc foo 20201201232059.271 TRACE network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo 20201201232059.271 ERROR network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo 20201201232059.271 ERROR start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace
Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.
I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.
Signed-off-by: Tycho Andersen tycho@tycho.pizza