mount sysfs in namespace #3831
mount sysfs in namespace #3831
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: gabibeyer The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
size/XS
needs-ok-to-test
|
Hi @gabibeyer. Thanks for your PR. I'm waiting for a containers or openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
openshift-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
|
Hmm. If we just need this in the container, shouldn't we add the mount in
the OCI spec?
…On Fri, Aug 16, 2019, 06:57 Daniel J Walsh ***@***.***> wrote:
/ok-to-test
Thanks @gabibeyer <https://github.com/gabibeyer>
@mheon <https://github.com/mheon> @giuseppe <https://github.com/giuseppe>
PTAL
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3831>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3AOCB5GUN5PEUYH5QV5Q3QE2BZFANCNFSM4IMCX4XQ>
.
|
|
@mheon This is something that may be required for the OCI runtime itself, not just the container. |
openshift-ci-robot
added
needs-rebase
openshift-ci-robot
added
size/XS
and removed
needs-rebase
|
|
||
| // mount sysfs so the process running in the container can see the | ||
| // correct /sys/class/net entries | ||
| err = unix.Mount("sysfs", "/sys", "sysfs", unix.MS_RDONLY, "") |
There was a problem hiding this comment.
The goroutine is running in a new network namespace but it is sharing the mount namespace with the host. How is the new mount visible from the container?
There was a problem hiding this comment.
I may be very off in my understanding of namespaces, but by default doesn't podman create a user namespace that all containers share (unless explicitly stated). The network namespace is being created inside that user namespace, and since mount namespaces require an owner user namespace all that information would be accessible by the container if it enters the network namespace?
There was a problem hiding this comment.
blah disregard that. I think what's happening is that it is being mounted correctly, but it needs to do a mount sooner, right after the network namespace creation in order to the /sys/class/net to be generated correctly for the oci runtime to use.
There was a problem hiding this comment.
@gabibeyer Perhaps, the commit message needs to be rephrased a bit, to specify that the OCI runtime needs to access the /sys.
@giuseppe We need this behaviour for the runtime. In case of Kata, we need to inspect the network namespace to get the type of network interfaces created in order to connect them to the virtual machine.
Most of this information can be obtained from netlink API.
But we may need to get this from sysfs in some cases. In case of tap interfaces, we do not get the information whether a tuntap device is actually "tap" or "tun" on older kernels from netlink. In that case we need to fallback to the sysfs, and expect the sysfs to be remounted to reflect the correct /sys/class/net information corresponding to the new network namespace created by podman.
I hope that makes things a bit clearer. A related PR submitted to netlink:
vishvananda/netlink@db99c04
|
☔ The latest upstream changes (presumably #2940) made this pull request unmergeable. Please resolve the merge conflicts. |
gabibeyer
force-pushed
the
mountSysfs
branch
2 times, most recently
from
940a0b7 to
0beed21
Compare
mount sysfs so the process running in the container can see the correct /sys/class/net entries Signed-off-by: Gabi Beyer <[email protected]>
|
@gabibeyer is it still needed? |
|
do we have an example of issue we are trying to solve with this PR? Still it is not clear to me how mounting |
|
@amshinde explained here why access to sysfs is needed, #3831 (comment) @gabibeyer: is this something specific for rootless? |
|
Got it @amshinde, then maybe you could consider only bind mounting the path necessary to look up the tap interfaces, and not the whole |
|
Let me see if I can explain this better.
@giuseppe Yes, the mount namespace is the same on the host, /sys is already mounted there, but /sys is not tied to mount namespaces. The /sys on entering the new network namespace still points to the host network namespace. A little background on the issue: https://lwn.net/Articles/295587/ An issue that describes this in some more detail: I see that a similar project Let me know if you have any further questions, maybe we can discuss this on the crio call this week if you are on it. |
|
@gabibeyer @amshinde is this patch still needed? If you'd like I can help here, can we discuss the issue you are having? |
|
as there is no progress, I am closing the PR. Please re-open if it is still needed |
github-actions
bot
added
the
locked - please file new issue/PR
mount sysfs so the process running in the container
can see the correct /sys/class/net entries
Signed-off-by: Gabi Beyer [email protected]