[Carry 2535] rootless: support detach-netns mode #2723
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AkihiroSuda
force-pushed
the
detach-netns
branch
from
fb193e0
to
adb89ad
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
3 times, most recently
from
752703f
to
5119337
Compare
This comment was marked as resolved.
This comment was marked as resolved.
AkihiroSuda
force-pushed
the
detach-netns
branch
2 times, most recently
from
b0df933
to
18acfa9
Compare
This comment was marked as resolved.
This comment was marked as resolved.
AkihiroSuda
force-pushed
the
detach-netns
branch
3 times, most recently
from
79513ca
to
fd56c62
Compare
This comment was marked as resolved.
This comment was marked as resolved.
AkihiroSuda
force-pushed
the
detach-netns
branch
2 times, most recently
from
3d57868
to
fd2ed9c
Compare
AkihiroSuda
commented
Jan 4, 2024
| # The "detached-netns" mode accelerates `nerdctl (pull|push|build)` and enables `nerdctl run --net=host`, | ||
| # however, there is a relatively minor drawback with the current version of BuildKit: | ||
| # the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during `nerdctl build` (not `nerdctl run`). | ||
| # If you want to hide 127.0.0.1 from "RUN" instructions, you should set CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS to "false". |
There was a problem hiding this comment.
@containerd/nerdctl-maintainers
This is kinda breaking change.
Let me know we should release this as "nerdctl v2.0" (ahead of containerd v2.0), or we can just stick to "nerdctl v1.8".
I'm leaning toward to the former one.
AkihiroSuda
force-pushed
the
detach-netns
branch
from
fd2ed9c
to
457ecc6
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
from
457ecc6
to
41135e2
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
from
41135e2
to
f407714
Compare
Closed
AkihiroSuda
force-pushed
the
detach-netns
branch
from
f407714
to
0746dcc
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
2 times, most recently
from
cebf66f
to
5d31647
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
from
5d31647
to
b7799e5
Compare
ktock
approved these changes
Jan 18, 2024
fahedouch
reviewed
Jan 18, 2024
| # The "detached-netns" mode accelerates `nerdctl (pull|push|build)` and enables `nerdctl run --net=host`, | ||
| # however, there is a relatively minor drawback with the current version of BuildKit: | ||
| # the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during `nerdctl build` (not `nerdctl run`). | ||
| # If you want to hide 127.0.0.1 from "RUN" instructions, you should set CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS to "false". |
fahedouch
reviewed
Jan 18, 2024
fahedouch
reviewed
Jan 18, 2024
| var addrs []net.Addr | ||
| if err := rootlessutil.WithDetachedNetNSIfAny(func() error { | ||
| var err2 error | ||
| addrs, err2 = net.InterfaceAddrs() |
There was a problem hiding this comment.
Ah, I think this is what I was missing in my PR; I wasn't pointing to the right IP addresses, right? It's not an issue with runc as we discussed in Chicago.
|
thanks @AkihiroSuda LGTM overall, just this small typo Thanks again for taking the time to address this feature |
fahedouch
approved these changes
Jan 18, 2024
|
Will rebase when BuildKit v0.13 beta2 is released |
AkihiroSuda
force-pushed
the
detach-netns
branch
2 times, most recently
from
6994e39
to
d3d2da7
Compare
AkihiroSuda
force-pushed
the
detach-netns
branch
from
d3d2da7
to
c4a967d
Compare
Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
detach-netns
branch
from
c4a967d
to
0f458cf
Compare
Signed-off-by: Akihiro Suda <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
When RootlessKit v2.0 (rootless-containers/rootlesskit PR 379) is installed, `containerd-rootless.sh` launches it with `--detach-netns` so as to run the daemon in the host network namespace. This will enable: - Accelerated (and deflaked) `nerdctl pull`, `nerdctl push`, `nerdctl build`, etc - Proper support for `nerdctl pull 127.0.0.1:.../...` - Proper support for `nerdctl run --net=host` Replaces Fahed Dorgaa's PR 2535 Co-authored-by: fahed dorgaa <[email protected]> Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
detach-netns
branch
from
0f458cf
to
4892364
Compare
ktock
approved these changes
Jan 31, 2024
apostasie
reviewed
Jul 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When RootlessKit v2.0 (rootless-containers/rootlesskit#379) is installed,
containerd-rootless.shlaunches it with--detach-netnsso as to run the daemon in the host network namespace.This will enable:
nerdctl pull,nerdctl push,nerdctl build, etcnerdctl pull 127.0.0.1:.../...nerdctl run --net=hostReplaces Fahed Dorgaa's PR #2535
Fixes #814
Fixes #86
Note
Rootless containerd recognizes the following environment variables to configure the behavior of RootlessKit:
CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false): whether to launch rootlesskit with the "detach-netns" mode.Defaults to "auto", which is resolved to "true" if RootlessKit >= 2.0 is installed.
The "detached-netns" mode accelerates
nerdctl (pull|push|build)and enablesnerdctl run --net=host,however, there is a relatively minor drawback with BuildKit prior to v0.13:
the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during
nerdctl build(notnerdctl run).The drawback is fixed in BuildKit v0.13. Upgrading from a prior version of BuildKit needs removing the old systemd unit:
containerd-rootless-setuptool.sh uninstall-buildkit && rm -f ~/.config/buildkit/buildkitd.tomlTo set these variables, create
~/.config/systemd/user/containerd.service.d/override.confas follows:And then run the following commands:
https://github.com/containerd/nerdctl/blob/main/docs/rootless.md