Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set network namespace in the container #2473

Closed
jprendes opened this issue Oct 26, 2023 · 5 comments
Closed

Set network namespace in the container #2473

jprendes opened this issue Oct 26, 2023 · 5 comments
Assignees
@yihuaf

Comments

@jprendes
Copy link
Contributor

From all the namespaces specified in the container spec, youki only sets the user and pid namespaces.
Other namespace, like the nerwork namespace, are ignored.

See containerd/runwasi#364 and this slack thread for context.
@utam0k
Copy link
Member

utam0k commented Oct 29, 2023

Thanks for creating the issue. Why did they think that? I think youki apply the rest of the namespace here:
https://github.com/containers/youki/blob/a6735b1c7e055d68f263624de767e952279fb5bc/crates/libcontainer/src/process/container_init_process.rs#L299

@jprendes
Copy link
Contributor Author

You are 100% correct.
Youki is setting the network namespace, but for some reason it's not taking effect.
It might be related to what point in the container lifecycle the call is done, maybe the runwasi shim needs to create the container earlier.
I need to dig dipper into this.

@utam0k
Copy link
Member

utam0k commented Nov 13, 2023

Pods share a network namespace among the containers, right? If it is right, perhaps runwasi is responsible for creating a network namespace for a pod. But I'm not sure...

@Mossaka Mossaka mentioned this issue Feb 7, 2024
Closed
@yihuaf
Copy link
Collaborator

yihuaf commented Jun 1, 2024
edited
Loading

Pods share a network namespace among the containers, right? If it is right, perhaps runwasi is responsible for creating a network namespace for a pod. But I'm not sure...

This is how containerd-shim works. The network namespace is created upfront and the OCI runtime (runc in this case) will join the network namespace. youki implements all namespaces, both create and join existing. I did not dig into the containerd/runwasi codebase, but the idea would be for the containerd level to create the network namespace upfront, and pass the path of the network ns to youki as part of the runtime spec. youki should then join the network namespace correctly. Let me know if there is any issue.

With that being said, I think it is possible to use youki to create all the namespaces for the first container in the pod, and then ask the sidecars to join the same namespaces (pid and network ns).

@yihuaf
Copy link
Collaborator

yihuaf commented Jun 1, 2024
edited
Loading

Close this issue since youki does correctly setup the network namespace. Feel free to re-open if there are any issues observed.

@yihuaf yihuaf closed this as completed Jun 1, 2024
@yihuaf yihuaf self-assigned this Jun 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yihuaf yihuaf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jprendes @utam0k @yihuaf