Add the option of Rootless CNI networking by default #10447
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Sorry I'm late, but why do we need two configuration fields? Shouldn't netns=bridge and netns=slirp4netns be enough. I don't see the need for the RootlessNetworking field?! |
libpod/runtime.go
Outdated
| @@ -532,6 +533,13 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { | |||
| } | |||
| } | |||
|
|
|||
| // If we need to make a default network - do so now. | |||
There was a problem hiding this comment.
This should happen before ocicni.InitCNI (line 465).
mheon
force-pushed
the
rootlesscni_default
branch
from
59aaa70 to
32a56fc
Compare
|
@Luap99 The idea was to keep |
|
OK, one last point. When the compat api is used as rootless we default to slirp4netns, see #10261. We could not swap the default to bridge since there was no default cni config. With this patch we could change this. However, the config is only created when |
|
I was waffling on that one, but if we have a good reason for it to be universal, I'm happy to make the change. |
mheon
force-pushed
the
rootlesscni_default
branch
2 times, most recently
from
43a7af4 to
3a64dbf
Compare
|
@Luap99 Made default network creation by default. I left the RootlessNetworking bits intact for now - mainly because I don't see an easier way of setting the default for rootless if the user sets |
|
We also probably want to have a discussion about containers.conf stability - I feel like it's not held up to the same standards of stability as the rest of the API because we can remove config options without much consequence. So even if this did ship, IMO we still have the ability to remove it in the future without a major version bump... |
mheon
force-pushed
the
rootlesscni_default
branch
from
3a64dbf to
c7ce571
Compare
cmd/podman/common/create_opts.go
Outdated
| @@ -248,7 +249,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroup | |||
| } | |||
|
|
|||
| // netMode | |||
| nsmode, _, err := specgen.ParseNetworkNamespace(string(cc.HostConfig.NetworkMode)) | |||
| nsmode, _, err := specgen.ParseNetworkNamespace(string(cc.HostConfig.NetworkMode), rtc.Containers.RootlessNetworking == "cni") | |||
There was a problem hiding this comment.
always set this to true for compat api, this should fix #10261
libpod/container.go
Outdated
| @@ -1168,7 +1167,7 @@ func (c *Container) Networks() ([]string, bool, error) { | |||
| func (c *Container) networks() ([]string, bool, error) { | |||
| networks, err := c.runtime.state.GetNetworks(c) | |||
| if err != nil && errors.Cause(err) == define.ErrNoSuchNetwork { | |||
| if len(c.config.Networks) == 0 && !rootless.IsRootless() { | |||
| if len(c.config.Networks) == 0 && !c.config.NetMode.IsSlirp4netns() { | |||
There was a problem hiding this comment.
I think this should be IsBridge() to not match net=none
mheon
force-pushed
the
rootlesscni_default
branch
from
c7ce571 to
0889be9
Compare
|
@mheon you have to rebase |
When the containers.conf field "NetNS" is set to "Bridge" and the "RootlessNetworking" field is set to "cni", Podman will now handle rootless in the same way it does root - all containers will be joined to a default CNI network, instead of exclusively using slirp4netns. If no CNI default network config is present for the user, one will be auto-generated (this also works for root, but it won't be nearly as common there since the package should already ship a config). I eventually hope to remove the "NetNS=Bridge" bit from containers.conf, but let's get something in for Brent to work with. Signed-off-by: Matthew Heon <[email protected]>
mheon
force-pushed
the
rootlesscni_default
branch
from
0889be9 to
533d88b
Compare
|
Done. |
|
LGTM |
|
/lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
When the containers.conf field "NetNS" is set to "Bridge" and the "RootlessNetworking" field is set to "cni", Podman will now handle rootless in the same way it does root - all containers will be joined to a default CNI network, instead of exclusively using slirp4netns.
If no CNI default network config is present for the user, one will be auto-generated (this also works for root, but it won't be nearly as common there since the package should already ship a config).
I eventually hope to remove the "NetNS=Bridge" bit from containers.conf, but let's get something in for Brent to work with.