"ns:" network mode to use existing network namespace

[dancavallaro]

Description

Fixes #3246, allowing containers to be run inside existing network namespaces.

I've read the contribution guide, signed off on my commit, and updated the command reference documentation, but please let me know if there's anything else you'd like me to do.

Testing

I first manually create a new Linux network namespace, create a dummy interface in it, and give it an address:

> sudo ip netns add nerdctltest
> sudo ip -n nerdctltest link add dm0 type dummy
> sudo ip -n nerdctltest addr add 172.16.1.100/32 dev dm0
> sudo ip -n nerdctltest link set dm0 up
> sudo ip -n nerdctltest link set lo up

Then use my build of nerdctl to run an Nginx container in this netns, using the new ns: networking mode:

> sudo ./nerdctl run -d --name nginx-nerdctltest --net=ns:/run/netns/nerdctltest nginx:latest
ce7939065b7c30e59ffc5c5e55d5cdc7c421098b8dc31beba63044991b6b999f

Finally, we can access the Nginx server by curl'ing the dummy interface address inside the netns:

> sudo ip netns exec nerdctltest curl http://172.16.1.100
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
...<truncated, you get the idea>

The new parameter is supported in Docker Compose, as well. Here's my docker-compose.yml file I used for testing:

services:
  nginx-nerdctltest:
    container_name: nginx-nerdctltest
    image: nginx:latest
    network_mode: ns:/run/netns/nerdctltest

Spin up the container:

> sudo ./nerdctl compose up -d
INFO[0000] Ensuring image nginx:latest
INFO[0000] Creating container nginx-nerdctltest

And test it again:

> sudo ip netns exec nerdctltest curl http://172.16.1.100
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
...

[dancavallaro]

Looks like there is one failing test (TestRunWithTtyAndDetached) that's failing in two of the Windows checks. It doesn't look like it'd be related to my changes here, and I found this open issue which makes it sound like there's a known stability issue with this test: #3437.

[apostasie]

Yes, ignore it. I will send a pr to skip it

[AkihiroSuda]

Can we have an integration test?

[dancavallaro]

Can we have an integration test?

Yes, I'll work on that today.

[dancavallaro]

I just fixed a batch of test failures but it looks like there are still some failures, I’ll keep digging into those.

[dancavallaro]

OK, all checks are passing now. I've added a new integration test that essentially does the same testing I was doing in manual testing (described above).

[AkihiroSuda]

Thanks

[dancavallaro]

Thanks for all your help @AkihiroSuda! Is there any approximate timeline for the 2.0.0 release or the next RC?