rootless: Rearrange setup of rootless containers#3756
Conversation
|
Hi @gabibeyer. Thanks for your PR. I'm waiting for a containers or openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
needs-ok-to-test
|
/ok-to-test |
openshift-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabibeyer, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
Can one of the admins verify this patch?
|
|
bot, add author to whitelist |
gabibeyer
force-pushed
the
rootlessOrdering
branch
2 times, most recently
from
4b7b6ef to
c971002
Compare
gabibeyer
changed the title
gabibeyer
force-pushed
the
rootlessOrdering
branch
from
c971002 to
7b0e4d8
Compare
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Should not be merged until slirp4netns 0.4.0 release |
gabibeyer
force-pushed
the
rootlessOrdering
branch
2 times, most recently
from
d183fb4 to
7b8be8b
Compare
|
☔ The latest upstream changes (presumably #2940) made this pull request unmergeable. Please resolve the merge conflicts. |
gabibeyer
changed the title
gabibeyer
force-pushed
the
rootlessOrdering
branch
2 times, most recently
from
1198de9 to
486a5b9
Compare
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@baude @mheon I'm having a hard time with the |
|
Hmm. Bad FS magic is strange... I'd more expect not finding the file at all, or a permission error, from user namespace issues... @giuseppe Any ideas here? |
gabibeyer
force-pushed
the
rootlessOrdering
branch
from
20f7e70 to
5dd9d4f
Compare
|
☔ The latest upstream changes (presumably #3931) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Needs a rebase. |
gabibeyer
force-pushed
the
rootlessOrdering
branch
3 times, most recently
from
b684a77 to
012dbb1
Compare
|
☔ The latest upstream changes (presumably #4038) made this pull request unmergeable. Please resolve the merge conflicts. |
gabibeyer
force-pushed
the
rootlessOrdering
branch
from
012dbb1 to
84e3213
Compare
|
@gabibeyer can you rebase one more time? @giuseppe @mheon : can you give an ack if the code looks good? |
There was a problem hiding this comment.
This should be conditional on a network namespace being present
There was a problem hiding this comment.
Also, should only run this if createNetNSErr == nil
There was a problem hiding this comment.
Error handling flow is broken for this one - if this fails we need to report it much earlier than that return below to ensure proper cleanup of resources on error. I think it'd be better to reuse createNetNSErr here - it already has the right logic here.
There was a problem hiding this comment.
Can we get a comment explaining what the flags we're adding here do?
|
Other than the error handling in |
gabibeyer
force-pushed
the
rootlessOrdering
branch
2 times, most recently
from
f2013d2 to
aceb557
Compare
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
1. create a network namespace
2. pass the netns persistent mount path to the slirp4netns
to create the tap inferface
3. pass the netns path to the OCI spec, so the runtime can
enter the netns
Closes containers#2897
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Update documentation to show Kata Containers support is no longer a limitation with merging of commit 486a5b9 Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994' make the network namespace bind-mount recursively shared, so the mount is back-propogated to the host. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
Add two unit tests to determine whether mounts are being listed correctly. One tests that a created container is not listed until mounted. The second checks that running containers are mounted, and then no longer listed as mounted when they stop running. The final test creates three containers, mounts two, and checks that mount correctly only lists the two mounted. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
marcov
force-pushed
the
rootlessOrdering
branch
from
aceb557 to
65d5a98
Compare
|
Thank you @gabibeyer @mheon Error handling in |
|
LGTM |
|
LGTM |
|
/lgtm Merging away |
github-actions
Bot
added
the
locked - please file new issue/PR
10 participants
This commit removes the previous cleanup in the stop functionality. It was originally added because the pipe wasn't closing on the kill to conmon, so the slirp4netns process wasn't stopping. This was fixed in this commit, and now the restart works with reentering the previous network namespace.
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
to create the tap inferface
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer gabrielle.n.beyer@intel.com