Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add new none network #430

Merged
merged 1 commit into from
Apr 12, 2024
Merged

feat: add new none network #430

merged 1 commit into from
Apr 12, 2024

Conversation

antrusd
Copy link
Contributor

@antrusd antrusd commented Apr 2, 2024

This PR will add net none driver support. The driver almost similar with host but only provide lo interface configured. This is follow up from #427 .

@antrusd antrusd mentioned this pull request Apr 2, 2024
Closed
@AkihiroSuda AkihiroSuda added this to the v2.1.0 milestone Apr 2, 2024
@AkihiroSuda
Copy link
Member 

$ rootlesskit --net=none bash
WARN[0000] [rootlesskit:parent] specifying --disable-host-loopback is highly recommended to prohibit connecting to 127.0.0.1:* on the host namespace (requires pasta, slirp4netns, or VPNKit)

This warning should not be printed for --net-none

AkihiroSuda
AkihiroSuda reviewed Apr 6, 2024
View reviewed changes
cmd/rootlesskit/main.go Outdated
case "none":
// NOP
default:
return opt, errors.New("network \"none\" requires port driver \"none\"")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"builtin" may work too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, updated

AkihiroSuda
AkihiroSuda reviewed Apr 6, 2024
View reviewed changes
pkg/network/none/none.go
return nil, nil, err
}

if detachedNetNSPath != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got an error:

$ rootlesskit --net=none --detach-netns bash
WARN[0000] [rootlesskit:parent] specifying --disable-host-loopback is highly recommended to prohibit connecting to 127.0.0.1:* on the host namespace (requires pasta, slirp4netns, or VPNKit) 
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
[rootlesskit:parent] error: failed to setup network &{}: exit status 1
[rootlesskit:child ] error: EOF

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, I never use --detach-netns actually, missed the test.

but then none network driver shouldn't have --detach-netns support since we don't have any network but loopback ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none may support --detach-netns for consistency with other network drivers, but not a hard requirement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, I may not really understand --detach-netns well enough. I tried to put the sleep infinity before configure loopback, then if I end up something similar with --net=host, is this expected ?

	if detachedNetNSPath != "" {
		cmd := exec.Command("nsenter", "-t", strconv.Itoa(childPID), "-n"+detachedNetNSPath, "--no-fork", "-m", "-U", "--preserve-credentials", "sleep", "infinity")
		cmd.SysProcAttr = &syscall.SysProcAttr{
			Pdeathsig: syscall.SIGKILL,
		}
		err := cmd.Start()
		if err != nil {
			return nil, nil, err
		}
		childPID = cmd.Process.Pid
	}

	cmds := [][]string{
		[]string{"nsenter", "-t", strconv.Itoa(childPID), "--no-fork", "-n", "-m", "-U", "--preserve-credentials", "ip", "address", "add", "127.0.0.1/8", "dev", "lo"},
		[]string{"nsenter", "-t", strconv.Itoa(childPID), "--no-fork", "-n", "-m", "-U", "--preserve-credentials", "ip", "link", "set", "lo", "up"},
	}
	if err := common.Execs(os.Stderr, os.Environ(), cmds); err != nil {
		return nil, nil, err
	}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if that so, then configuring loppback when --detach-netns seems useless.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rootlesskit --net=none --detach-netns bash will run bash in the host netns, and detach a new lo-only netns in $ROOTLESSKIT_STATE_DIR/netns.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it, updated

@antrusd
Copy link
Contributor Author

antrusd commented Apr 8, 2024 

$ rootlesskit --net=none bash
WARN[0000] [rootlesskit:parent] specifying --disable-host-loopback is highly recommended to prohibit connecting to 127.0.0.1:* on the host namespace (requires pasta, slirp4netns, or VPNKit)

This warning should not be printed for --net-none

Updated here

@antrusd
feat: add new none network
998ce8f 
Signed-off-by: Anthony Rusdi <anthony.rusdi@gmail.com>
AkihiroSuda
AkihiroSuda approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 8412a3c into rootless-containers:master Apr 12, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@antrusd @AkihiroSuda