[ws-daemon] Enable workspace IP forwarding

to make the new nftables setup work
gitpod-io · Apr 12, 2022 · 94e147b · 94e147b
1 parent 274a435
commit 94e147b
Showing 1 changed file with 20 additions and 8 deletions.
diff --git a/components/ws-daemon/pkg/iws/iws.go b/components/ws-daemon/pkg/iws/iws.go
@@ -344,9 +344,9 @@ func (wbs *InWorkspaceServiceServer) SetupPairVeths(ctx context.Context, req *ap
 		return nil, status.Errorf(codes.Internal, "cannot setup a peer veths")
 	}
 
-	err = nsinsider(wbs.Session.InstanceID, int(pid), func(c *exec.Cmd) {
+	err = nsinsider(wbs.Session.InstanceID, int(containerPID), func(c *exec.Cmd) {
 		c.Args = append(c.Args, "enable-ip-forward")
-	}, enterMountNS(true))
+	}, enterNetNS(true), enterMountNSPid(1))
 	if err != nil {
 		log.WithError(err).WithFields(wbs.Session.OWI()).Error("SetupPairVeths: cannot enable IP forwarding")
 		return nil, status.Errorf(codes.Internal, "cannot enable IP forwarding")
@@ -736,9 +736,10 @@ func cleanupMaskedMount(owi map[string]interface{}, base string, paths []string)
 }
 
 type nsinsiderOpts struct {
-	MountNS bool
-	PidNS   bool
-	NetNS   bool
+	MountNS    bool
+	PidNS      bool
+	NetNS      bool
+	MountNSPid int
 }
 
 func enterMountNS(enter bool) nsinsiderOpt {
@@ -759,6 +760,13 @@ func enterNetNS(enter bool) nsinsiderOpt {
 	}
 }
 
+func enterMountNSPid(pid int) nsinsiderOpt {
+	return func(o *nsinsiderOpts) {
+		o.MountNS = true
+		o.MountNSPid = pid
+	}
+}
+
 type nsinsiderOpt func(*nsinsiderOpts)
 
 func nsinsider(instanceID string, targetPid int, mod func(*exec.Cmd), opts ...nsinsiderOpt) error {
@@ -781,10 +789,14 @@ func nsinsider(instanceID string, targetPid int, mod func(*exec.Cmd), opts ...ns
 	}
 	var nss []mnt
 	if cfg.MountNS {
+		tpid := targetPid
+		if cfg.MountNSPid != 0 {
+			tpid = cfg.MountNSPid
+		}
 		nss = append(nss,
-			mnt{"_LIBNSENTER_ROOTFD", fmt.Sprintf("/proc/%d/root", targetPid), unix.O_PATH},
-			mnt{"_LIBNSENTER_CWDFD", fmt.Sprintf("/proc/%d/cwd", targetPid), unix.O_PATH},
-			mnt{"_LIBNSENTER_MNTNSFD", fmt.Sprintf("/proc/%d/ns/mnt", targetPid), os.O_RDONLY},
+			mnt{"_LIBNSENTER_ROOTFD", fmt.Sprintf("/proc/%d/root", tpid), unix.O_PATH},
+			mnt{"_LIBNSENTER_CWDFD", fmt.Sprintf("/proc/%d/cwd", tpid), unix.O_PATH},
+			mnt{"_LIBNSENTER_MNTNSFD", fmt.Sprintf("/proc/%d/ns/mnt", tpid), os.O_RDONLY},
 		)
 	}
 	if cfg.PidNS {