Skip to content

rootless: Rearrange setup of rootless containers #3756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 4 commits into from
Sep 24, 2019
Merged

rootless: Rearrange setup of rootless containers #3756

openshift-merge-robot merged 4 commits into from
Sep 24, 2019

Conversation

@gabibeyer
Copy link

@gabibeyer gabibeyer commented Aug 7, 2019

This commit removes the previous cleanup in the stop functionality. It was originally added because the pipe wasn't closing on the kill to conmon, so the slirp4netns process wasn't stopping. This was fixed in this commit, and now the restart works with reentering the previous network namespace.

In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:

  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
    to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
    enter the netns

Closes #2897

Signed-off-by: Gabi Beyer [email protected]

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Aug 7, 2019

Hi @gabibeyer. Thanks for your PR.

I'm waiting for a containers or openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 7, 2019
@mheon
Copy link
Member

mheon commented Aug 7, 2019

/ok-to-test
/approve

@openshift-ci-robot openshift-ci-robot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 7, 2019
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Aug 7, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gabibeyer, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 7, 2019
@rh-atomic-bot
Copy link
Collaborator

rh-atomic-bot commented Aug 7, 2019

Can one of the admins verify this patch?
I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

@haircommander
Copy link
Collaborator

haircommander commented Aug 7, 2019

bot, add author to whitelist

@gabibeyer gabibeyer force-pushed the rootlessOrdering branch 2 times, most recently from 4b7b6ef to c971002 Compare August 7, 2019 19:00
@gabibeyer gabibeyer changed the title rootless: Rearrange setup of rootless containers rootless: Rearrange setup of rootless containers ***CIRRUS: TEST IMAGES*** Aug 8, 2019
@gabibeyer
Copy link
Author

gabibeyer commented Aug 8, 2019

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2019
@gabibeyer
Copy link
Author

gabibeyer commented Aug 8, 2019

Should not be merged until slirp4netns 0.4.0 release

@gabibeyer gabibeyer force-pushed the rootlessOrdering branch 2 times, most recently from d183fb4 to 7b8be8b Compare August 19, 2019 21:23
@rh-atomic-bot
Copy link
Collaborator

rh-atomic-bot commented Aug 21, 2019

☔ The latest upstream changes (presumably #2940) made this pull request unmergeable. Please resolve the merge conflicts.

@gabibeyer gabibeyer changed the title rootless: Rearrange setup of rootless containers ***CIRRUS: TEST IMAGES*** rootless: Rearrange setup of rootless containers Aug 22, 2019
@gabibeyer gabibeyer force-pushed the rootlessOrdering branch 2 times, most recently from 1198de9 to 486a5b9 Compare August 22, 2019 22:02
@gabibeyer
Copy link
Author

gabibeyer commented Aug 23, 2019

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 23, 2019
@gabibeyer
Copy link
Author

gabibeyer commented Aug 23, 2019

@baude @mheon I'm having a hard time with the run_cleanup_test failure: error retrieving network namespace at /run/user/3347/netns/cni-4078184d-48c9-d5ed-872c-2bb1ebed8530: unknown FS magic on \"/run/user/3347/netns/cni-4078184d-48c9-d5ed-872c-2bb1ebed8530\": 1021994". I am unable to reproduce the failure locally, and after some searching I thought it may be related to the namespace persistent bind-mount not being mounted with shared permissions, so I added a commit to fix that, and it doesn't seem to be the issue. Do either of you have any ideas?

@mheon
Copy link
Member

mheon commented Aug 23, 2019

Hmm. Bad FS magic is strange... I'd more expect not finding the file at all, or a permission error, from user namespace issues...

@giuseppe Any ideas here?

@rh-atomic-bot
Copy link
Collaborator

rh-atomic-bot commented Sep 6, 2019

☔ The latest upstream changes (presumably #3931) made this pull request unmergeable. Please resolve the merge conflicts.

@rhatdan
Copy link
Member

rhatdan commented Sep 6, 2019

Needs a rebase.

@gabibeyer gabibeyer force-pushed the rootlessOrdering branch 3 times, most recently from b684a77 to 012dbb1 Compare September 12, 2019 21:04
@rh-atomic-bot
Copy link
Collaborator

rh-atomic-bot commented Sep 16, 2019

☔ The latest upstream changes (presumably #4038) made this pull request unmergeable. Please resolve the merge conflicts.

@marcov
Copy link
Collaborator

marcov commented Sep 20, 2019

@gabibeyer can you rebase one more time?

@giuseppe @mheon : can you give an ack if the code looks good?

mheon
mheon reviewed Sep 20, 2019
View reviewed changes
libpod/container_internal_linux.go Outdated
Copy link
Member

@mheon mheon Sep 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be conditional on a network namespace being present

Copy link
Member

@mheon mheon Sep 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, should only run this if createNetNSErr == nil

mheon
mheon reviewed Sep 20, 2019
View reviewed changes
libpod/container_internal_linux.go Outdated
Copy link
Member

@mheon mheon Sep 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error handling flow is broken for this one - if this fails we need to report it much earlier than that return below to ensure proper cleanup of resources on error. I think it'd be better to reuse createNetNSErr here - it already has the right logic here.

mheon
mheon reviewed Sep 20, 2019
View reviewed changes
libpod/networking_linux.go Outdated
Copy link
Member

@mheon mheon Sep 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we get a comment explaining what the flags we're adding here do?

@mheon
Copy link
Member

mheon commented Sep 20, 2019

Other than the error handling in prepare() I think this is basically ready.

@gabibeyer gabibeyer force-pushed the rootlessOrdering branch 2 times, most recently from f2013d2 to aceb557 Compare September 23, 2019 21:33
Gabi Beyer added 4 commits September 24, 2019 11:01
@marcov
rootless: Rearrange setup of rootless containers
5813c82 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <[email protected]>
@marcov
Add Kata Containers support
f50ba20 
Update documentation to show Kata Containers support is no longer
a limitation with merging of commit 486a5b9

Signed-off-by: gabi beyer <[email protected]>
@marcov
Make netns bind mount shared
0115be1 
To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994'
make the network namespace bind-mount recursively shared, so the
mount is back-propogated to the host.

Signed-off-by: gabi beyer <[email protected]>
@marcov
add list mount tests
65d5a98 
Add two unit tests to determine whether mounts are being listed
correctly. One tests that a created container is not listed
until mounted. The second checks that running containers are
mounted, and then no longer listed as mounted when they stop
running. The final test creates three containers, mounts two,
and checks that mount correctly only lists the two mounted.

Signed-off-by: gabi beyer <[email protected]>
@marcov
Copy link
Collaborator

marcov commented Sep 24, 2019

Thank you @gabibeyer @mheon

Error handling in prepare() should have been improved now.

@mheon
Copy link
Member

mheon commented Sep 24, 2019

LGTM
@vrothberg @baude @rhatdan @TomSweeneyRedHat PTAL

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Sep 24, 2019

LGTM

@mheon
Copy link
Member

mheon commented Sep 24, 2019

/lgtm

Merging away

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 24, 2019
@openshift-merge-robot openshift-merge-robot merged commit b300b98 into containers:master Sep 24, 2019
@rh-atomic-bot rh-atomic-bot mentioned this pull request Sep 24, 2019
Closed
@giuseppe giuseppe mentioned this pull request Sep 29, 2019
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 26, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mheon mheon mheon left review comments

@baude baude Awaiting requested review from baude

@giuseppe giuseppe Awaiting requested review from giuseppe

Assignees

@mheon mheon

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create and configure network before container is created in case of rootless Podman

10 participants

@gabibeyer @openshift-ci-robot @mheon @rh-atomic-bot @haircommander @giuseppe @rhatdan @marcov @TomSweeneyRedHat @openshift-merge-robot