Skip to content

Prefer bubblewrap for network isolation#473

Closed
tiran wants to merge 1 commit intopython-wheel-build:mainfrom
tiran:bubblewrap
Closed

Prefer bubblewrap for network isolation#473
tiran wants to merge 1 commit intopython-wheel-build:mainfrom
tiran:bubblewrap

Conversation

@tiran
Copy link
Copy Markdown
Collaborator

@tiran tiran commented Oct 10, 2024

Bubblewrap is another tool for unsharing namespaces. It sets up a network namespace with a disconnected loopback.

Fixes: #472

@mergify mergify bot added the ci label Oct 10, 2024
dhellmann
dhellmann reviewed Oct 10, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@dhellmann dhellmann left a comment
edited by prarit
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks OK for now. We should consider if this should be configurable by the user somehow, but this at least lets us move forward.

Edit: nvm. I tested it and it seems to work -- see comments below about adding --privileged to docker and fixing the --unshare-net option.

@prarit
Copy link
Copy Markdown
Contributor

prarit commented Oct 10, 2024

Let's try this and see if it works better. OOC do you test if it solved the MPI issue in a container?

@tiran
Prefer bubblewrap for network isolation
a99a48c 
Bubblewrap is another tool for unsharing namespaces. It sets up a
network namespace with a disconnected loopback.

Fixes: python-wheel-build#472
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Copy link
Copy Markdown
Collaborator Author

tiran commented Oct 10, 2024

Let's try this and see if it works better. OOC do you test if it solved the MPI issue in a container?

$ bwrap --unshare-net --dev-bind / / -- /usr/lib64/openmpi/bin/mpicc -showme:compile
-I/usr/include/openmpi-x86_64

$ unshare -rn -- /usr/lib64/openmpi/bin/mpicc -showme:compile
[hostname:1498104] opal_ifinit: unable to find network interfaces.
-I/usr/include/openmpi-x86_64

prarit
prarit reviewed Oct 10, 2024
View reviewed changes
src/fromager/external_commands.py
if sys.platform == "linux":
NETWORK_ISOLATION = ["unshare", "--net", "--map-current-user"]
NETWORK_ISOLATION = [
["bwrap", "--unshare-network", "--dev-bind", "/", "/", "--"],
Copy link
Copy Markdown
Contributor

@prarit prarit Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--unshare-network doesn't appear to be valid? Is this supposed to be --unshare-net ?

Copy link
Copy Markdown
Contributor

@prarit prarit Oct 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: this needs docker to specify --privileged in builder's bin/boostrap.sh o/w you get an error

bwrap: Creating new namespace failed: Operation not permitted

@tiran tiran marked this pull request as draft October 11, 2024 14:36
@tiran
Copy link
Copy Markdown
Collaborator Author

tiran commented Oct 15, 2024

bwrap does not work for us. It requires additional permissions and adjustments to work in an unprivileged container. We want a system that works in podman out of the box and in docker with minimal adjustments.

@tiran tiran closed this Oct 15, 2024
@shubhbapna shubhbapna mentioned this pull request Oct 15, 2024
Closed
@pavank63 pavank63 mentioned this pull request Apr 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhellmann dhellmann dhellmann left review comments

@prarit prarit prarit left review comments

@shubhbapna shubhbapna Awaiting requested review from shubhbapna

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use bubblewrap (bwrap) instead of unshare for network isolation

3 participants

@tiran @prarit @dhellmann