Commits on Dec 9, 2022

1. containerdexecutor: add network namespace callback …

   In order to support identity mapping and user namespaces, the Moby
   project needs to defer the creation of a container's network namespace
   to the runtime and hook into the container lifecycle to configure the
   network namespace before the user binary is started. The standard way to
   do so is by configuring a `createRuntime` OCI lifecycle hook, in which
   the OCI runtime executes a specified process in the runtime environment
   after the container has been created and before it is started. In the
   case of Moby the network namespace needs to be configured from the
   daemon process, which necessitates that the hook process communicate
   with the daemon process. This is complicated and slow. All the hook
   process does is inform the daemon of the container's PID and wait until
   the daemon has finished applying the network namespace configuration.
   
   There is an alternative to the `createRuntime` OCI hook which containerd
   clients can take advantage of. The `container.NewTask` method is
   directly analogous to the OCI create operation, and the `task.Start`
   method is directly analogous to the OCI start operation. Any operations
   performed between the `NewTask` and `Start` calls are therefore directly
   analogous to `createRuntime` OCI hooks, without needing to execute any
   external processes! Provide a mechanism for network.Namespace instances
   to register a callback function which can be used to configure a
   container's network namespace instead of, or in addition to,
   `createRuntime` OCI hooks.
   
   Signed-off-by: Cory Snider <csnider@mirantis.com>

   

   corhere committed Dec 9, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for b5fdf90
   • Browse repository at this point

   Copy the full SHA

   b5fdf90 View commit details

   Browse the repository at this point in the history