Allow creation of a rootless netns backed by Pasta #1846
Conversation
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
3 times, most recently
from
e06bf83 to
a202476
Compare
| // rootlessNetNsSilrp4netnsPidFile is the name of the rootless netns slirp4netns pid file | ||
| rootlessNetNsSilrp4netnsPidFile = "rootless-netns-slirp4netns.pid" | ||
| // rootlessNetNsConnPidFile is the name of the rootless netns slirp4netns/pasta pid file | ||
| rootlessNetNsConnPidFile = "rootless-netns-slirp4netns.pid" |
There was a problem hiding this comment.
might as well rename the file, this code was only add during 5.0-dev so it is fine to break this here
| @@ -113,7 +114,14 @@ func (n *Netns) getOrCreateNetns() (ns.NetNS, bool, error) { | |||
| if err != nil { | |||
| return nil, false, wrapError("create netns", err) | |||
| } | |||
| err = n.setupSlirp4netns(nsPath) | |||
| switch strings.ToLower(n.config.Network.DefaultRootlessNetworkCmd) { | |||
| case "slirp4netns": | |||
There was a problem hiding this comment.
use constant, slirp4netns.BinaryName
also match "" as well because we allow this in podman,buildah atm
| switch strings.ToLower(n.config.Network.DefaultRootlessNetworkCmd) { | ||
| case "slirp4netns": | ||
| err = n.setupSlirp4netns(nsPath) | ||
| case "pasta": |
| multiErr = multierror.Append(multiErr, wrapError("kill slirp4netns", err)) | ||
| // Pasta does not require teardown, it will tear itself down so long as | ||
| // we get rid of the netns. | ||
| if n.config.Network.DefaultRootlessNetworkCmd == "slirp4netns" { |
| pastaOpts := pasta.SetupOptions{ | ||
| Config: n.config, | ||
| Netns: nsPath, | ||
| ExtraOptions: []string{"-p", rootlessNetNsConnPidFile}, |
There was a problem hiding this comment.
doesn't this create the file in the cwd? It must be wrapped in n.getPath() to get a proper absolute path.
|
|
||
| if systemd.RunsOnSystemd() { | ||
| // Treat these as fatal - if pasta failed to write a PID file something is probably wrong. | ||
| pidfile, err := os.ReadFile(rootlessNetNsConnPidFile) |
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
from
a202476 to
3a37c0b
Compare
|
Comments addressed |
| @@ -113,7 +114,14 @@ func (n *Netns) getOrCreateNetns() (ns.NetNS, bool, error) { | |||
| if err != nil { | |||
| return nil, false, wrapError("create netns", err) | |||
| } | |||
| err = n.setupSlirp4netns(nsPath) | |||
| switch strings.ToLower(n.config.Network.DefaultRootlessNetworkCmd) { | |||
| case "", slirp4netns.BinaryName: | |||
There was a problem hiding this comment.
Should this be switched to default to pasta?
There was a problem hiding this comment.
I don't think it matters, it should always be explicitly set in containers.conf
There was a problem hiding this comment.
Some distributions do not ship a containers.conf, or was the default modified in common/pkg/config/default.go?
There was a problem hiding this comment.
Looks like not yet.
DefaultRootlessNetworkCmd: "slirp4netns",
There was a problem hiding this comment.
Before merging this needs to be vendored into podman and tested there, I guess you can either switch the default directly in this PR to test or write a containers.conf in podman CI.
Either way I expect failing tests in podman as some likely depend on certain slirp behaviours.
| pastaOpts := pasta.SetupOptions{ | ||
| Config: n.config, | ||
| Netns: nsPath, | ||
| ExtraOptions: []string{"-p", pidPath}, |
There was a problem hiding this comment.
-p is actually not the pid file, -P is, but I recommend to use --pid
| } | ||
| pid, err := strconv.Atoi(string(pidfile)) | ||
| if err != nil { | ||
| return fmt.Errorf("unable to decode pasta PID (got %q): %w", string(pidfile), err) |
There was a problem hiding this comment.
no need to include the pidfile data in the error as the Atoi error already includes this so you would stutter the error.
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
7 times, most recently
from
af15ea1 to
a9fe405
Compare
|
Tests are here: containers/podman#21563 Mostly passing now (minor issue in APIv2) but the system tests are timing out. Potentially could be Pasta being slower to start than slirp4netns? |
|
If you change the default here in the same commit then this needs docs changes as well for it. Anyhow I would think we can merge this without making pasta default here in this PR. And figure out the remaining test problems next week as the timeouts are very concerning. If pasta is actually so much slower than I am not sure if we want to continue to make it the default given it adds at least 10 mins to the system tests. |
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
9 times, most recently
from
e9c35ad to
1a6727c
Compare
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
from
1a6727c to
dd99f6c
Compare
I'd call that "the same". Is there any particular configuration or sequence I should look into? |
No looks good to me as well. I wouldn't worry about that, the problem in podman PR clearly shows the problem is leaking pasta processes not speed. |
Okay, let me prepare a release with the fix then. We don't know if it fixes that issue or not, but I think it's a critical fix anyway, as the inotify watch setup can semi-silently fail. |
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
from
4965bb8 to
328022e
Compare
|
Ack, will do |
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
2 times, most recently
from
45f4aee to
dd24d75
Compare
There was a problem hiding this comment.
One final, nit. Rest looks good here and podman tests seem to be happy as well.
One last ask would be to make sure this vendors into buildah as well without breaking tests there. Might need to users newer VM images there first (not sure if they got updated for the latest pasta)
| if err := n.cleanupRootlessNetns(); err != nil { | ||
| multiErr = multierror.Append(multiErr, wrapError("kill slirp4netns", err)) |
There was a problem hiding this comment.
the wrapError message needs to change as well, maybe to kill networking process?
This makes the code for setting up rootless network namespaces dependent on what the default rootless network provider is, and allows Pasta to be used for traffic forwarding on the rootless netns. This also switches the default rootless network provider to Pasta Signed-off-by: Matt Heon <mheon@redhat.com>
mheon
force-pushed
the
allow_rootless_netns_pasta
branch
from
dd24d75 to
fdf91cd
Compare
|
Fixed & force-pushed. Let's get this landed. |
There was a problem hiding this comment.
LGTM
/hold
Please do not merge this yet, c/common seems to be blocked in podman (containers/podman#21828), lets not add more changes on top of that require large changes in podman. Once the latest common is merged in podman we can merged this and do another vendor with all your test fixes in the PR.
Also please do a buildah test run I suspect you may need some test changes there as well.
|
Buildah run is a good call, will do that now. |
|
containers/buildah#5359 for Buildah |
|
@Luap99 I think we decided we can merge this as-is now, yes? |
|
If we vendor the latest c/common already in podman then yes, however looks like there are failing test in containers/podman#21774 which sounds like c/storage regressions to me but haven't really looked closely. I can do so tomorrow morning. |
There was a problem hiding this comment.
LGTM
/lgtm
/hold
containers/podman#21774 is about to merge,
remove the hold when you are ready to rebase your podman PR against c/common@main
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
This makes the code for setting up rootless network namespaces dependent on what the default rootless network provider is, and allows Pasta to be used for traffic forwarding on the rootless netns.