Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sysfs appears to be bind mounted into containers which use non-host networking #8707

Closed
maybe-sybr opened this issue Dec 14, 2020 · 6 comments
Closed

sysfs appears to be bind mounted into containers which use non-host networking #8707

maybe-sybr opened this issue Dec 14, 2020 · 6 comments
Assignees
@giuseppe
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@maybe-sybr
Copy link
Contributor

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description
When running containers with networking stacks which I expect to be isolated from the host, I can still see the host's sysfs rather than the namespace's.

Steps to reproduce the issue:

  1. podman run --rm -ti --network slirp4netns docker.io/alpine sh -c 'ip l; ls -l /sys/class/net'

Describe the results you received:

[maybe@zen podman]$ podman run --rm -ti --network slirp4netns docker.io/alpine sh -c 'ip l; ls -l /sys/class/net'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether ca:79:79:8b:39:4e brd ff:ff:ff:ff:ff:ff
total 0
lrwxrwxrwx    1 nobody   nobody           0 Dec 13 22:42 dummy0 -> ../../devices/virtual/net/dummy0
lrwxrwxrwx    1 nobody   nobody           0 Dec 13 22:42 enp0s20f0u3u4 -> ../../devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4/2-3.4:1.0/net/enp0s20f0u3u4
lrwxrwxrwx    1 nobody   nobody           0 Dec 13 22:42 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 nobody   nobody           0 Dec 13 22:42 wlo1 -> ../../devices/pci0000:00/0000:00:14.3/net/wlo1

Describe the results you expected:
/sys/class/net should not have host networking nodes listed, and should instead have the slirp created tap0 in there along with an lo. Running a mount -t sysfs sysfs /sys in the container ensures the container's sysfs is mounted but needs --privileged to do the overmount.

[maybe@zen podman]$ podman run --rm -ti --network slirp4netns --privileged docker.io/alpine sh -c 'mount -t sysfs sysfs /sys; ip l; ls -l /sys/class/net'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 1e:79:a0:7e:f1:bd brd ff:ff:ff:ff:ff:ff
total 0
lrwxrwxrwx    1 root     root             0 Dec 14 01:33 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Dec 14 01:33 tap0 -> ../../devices/virtual/net/tap0

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 2.2.1

Output of podman info --debug:

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.2.1-1.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 14, 2020
@mheon
Copy link
Member

mheon commented Dec 14, 2020 via email

@maybe-sybr
Copy link
Contributor Author

maybe-sybr commented Dec 14, 2020
edited
Loading

Sounds about right, @mheon . I was just looking through what had changed since the last RPM release since I recall updating at the end of last week. Downgrading to podman-2.1.1-10.fc33 and containers-common-1.2.0-3.fc33 fixed the misbehaviour. Thanks for the quick reply. I'll work with the downgraded versions for now and keep an eye on this issue for any updates.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jan 14, 2021

I believe this is fixed in the main branch now, reopen if I am mistaken.

@rhatdan rhatdan closed this as completed Jan 14, 2021
@mheon
Copy link
Member

mheon commented Jan 14, 2021

This is not fixed. Discussion is ongoing in #8949

@mheon mheon reopened this Jan 14, 2021
@giuseppe
Copy link
Member

this should be fixed by: #8949

@sivel sivel mentioned this issue Feb 18, 2021
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@giuseppe giuseppe

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@giuseppe @rhatdan @mheon @openshift-ci-robot @maybe-sybr