Fix race in os sandbox sharing

[mrjana]

There is a race in os sandbox sharing code where two containers which
are sharing the os sandbox try to recreate the os sandbox again which
might result in destroying the os sandbox and recreating it. Since the
os sandbox sharing is happening only for default sandbox, refactored the
code to create os sandbox only once inside a sync.Once api so that it
happens exactly once and gets reused by other containers. Also disabled
deleting this os sandbox.

Fixes moby/moby#17577

Signed-off-by: Jana Radhakrishnan mrjana@docker.com

[mavenugo]

@mrjana thanks. pls correct me if am wrong. the sharing of OSL sandbox happens only for --net=host mode. and we handle the situation very similar to any other case and hence we have less special casing (though we do make use of useDefaultSandBox as a hint for --net=host case).

So my question is, is the current fix complete without also protecting the delete side ?
Infact for --net=host case we can even avoid deleting the osl sandbox and also create it only once globally ?

BTW, I tried the patch to see if it solves moby/moby#17577, but it didnt. But when I added a small hack as follows, then I dont see the issue anymore.

 func (n *networkNamespace) Destroy() error {
+       if strings.Contains(n.path, "default") {
+               log.Debugf("Ignoring sandbox destroy")
+               return nil
+       }

So, I think we should either synchronize the creation and deletion of the OSL sandbox. Or prevent destroying the osl sandbox for default sandbox case (and also better if we create it just once globally).

[mrjana]

@mavenugo I did test for moby/moby#17577 and it did work for me. But you brought up a good point while the sandbox is being destroyed. Let me refactor this code to just create it once and use it everywhere and never destroy it.

[mavenugo]

@mrjana thanks

[mrjana]

@mavenugo Updated new diffs. PTAL

[mavenugo]

LGTM.