Support mount, uts and ipc namespaces in the host #847
Conversation
|
/test |
|
/test |
|
@devimc thanks for the PR, but please be more verbose about the problem statement, and the reasons behind the choices you made. It is a pretty huge PR affecting main components, and it needs to be clear about the |
devimc
changed the title
|
@sboeuf sure, I still need to write a document |
|
/test |
|
waiting for the doc~ @devimc and maybe we need to take |
devimc
force-pushed
the
topic/mntns
branch
5 times, most recently
from
536e3b6 to
f3f421c
Compare
|
/test |
|
/test |
devimc
force-pushed
the
topic/mntns
branch
11 times, most recently
from
cf39256 to
8ffdab1
Compare
devimc
changed the title
|
/test |
|
/test |
Skip crio test 'ctr list filtering' to allow kata-containers/runtime#847 lands fixes kata-containers#945 Signed-off-by: Julio Montes <julio.montes@intel.com>
Unlike other runtimes, we have several components like qemu, kata-shim and kata-proxy that should be placed in new namespace to improve the isolation and security. The problem is that we need persistent namespaces and in the case of the mount namespace (aka headache namespace ;)), it MUST BE created before starting golang execution and in a new mount point with a propagation different to shared, even worse, to make it persistent the new namespace (/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the existence of it. To get more information about this, see github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1 With these new functions now is possible to join, create, remove and make persistent namespaces. Next diagram can help us to understand how it works. ``` ============================================================================ | Host's namespace | New namespace! | | | | | ---------------------------------------------------------------------------| | C (no threads, no goroutines, NO GOLANG!) | | | | | | --------- --------------- | | | | Runtime |-|listen children|--|fork-setns-unshare|-|-------. | | --------- ---------------\ | | | | | | \ | | | | fork | Wait children & | | | | | | exit | | | |----------------------------------------------------------------------------| | Golang | | | | | | join,create,make,remove | | | | --------- persistent namespace | --------- | | | Runtime | | | | Runtime | | | --------- -------- | --------- | | | |-Create | | | | | parse jsons |-Start | | Create,start,etc. | | and cmdline |-Delete | | Containers | | \ |-etc | | | | | \ |-------- | exit | | --subcmd-' | | | \ | | | - exit | | ============================================================================ ``` fixes kata-containers#160 Depends-on: github.com/kata-containers/tests#946 Signed-off-by: Julio Montes <julio.montes@intel.com>
setup the console in create, after tracing and once the container ID has been obtained. Signed-off-by: Julio Montes <julio.montes@intel.com>
Depending of the command and the container type the runtime creates, joins, makes or removes a persistent namespace. When container type is a container, the rootfs for this container must be mounted on create and unmounted on kill or delete, since it's not visible in the sanbox namespace. Signed-off-by: Julio Montes <julio.montes@intel.com>
shim is already started in a new UTC and IPC namespace, hence clone flags are no more needed when it's started. Signed-off-by: Julio Montes <julio.montes@intel.com>
In order to avoid file descriptor leaks, the communication channel with the parent must be closed. Signed-off-by: Julio Montes <julio.montes@intel.com>
|
/test |
|
@devimc This needs a rebase. |
|
@devimc any updates? |
|
@raravena80 ehmm nop, I'd like to present this in the kata arch meeting |
|
Hi @devimc - Thanks for raising! As @sboeuf has noted, this is a complex one. It does kind of feel like this issue should be handled by fixing golang rather than us having to jump through "hoops of fire" as it were ;) On that topic, is anyone aware of a golang github issue regarding the namespace issues? I took a quick look but didn't find anything useful (ironically, searching on google lead me back to the Kata github project! ;) Awesome ASCII art btw, but it would be helpful if you could provide a step-by-step explanation of how this works to allow us all to "digest" this PR more quickly. |
|
What issue? The namespace problem fixed in golang 1.10? golang/go#20676 #148 |
|
@caoruidong - I was referring to @sboeuf's comment:
|
|
@jodh-intel golang/go#8676 |
|
@devimc - This has been open for a while now (and the branch is now conflicted). I think there is a general feeling that although this PR solves a problem, it introduces more complexity that we are comfortable with, unless there is a very good reason for it. It also introduces C code. I understand why that is, but again, I think we'd rather not use C unless there is a super-compelling reason for it due to the potential security implications. It would also require us to setup new static analysis, etc, etc. Hence, please could you / @amshinde provide further details on why we need this with, ideally with some examples. Trying to trace back through the issues leads to the initial issue... containing no details :-(( I think you did present this at the Architecture Committee meeting? Please could you add details here of what the feedback was. If there wasn't any, or wasn't enough, I think it might be worth you raising this topic again in the AC meeting. Now that folk have had time to consider the impact of adding this change we might get more feedback. |
github: Remove issue template and use central one
Unlike other runtimes, we have several components like qemu, kata-shim and
kata-proxy that should be placed in new namespace to improve the isolation and
security. The problem is that we need persistent namespaces and in the case of
the mount namespace (aka headache namespace ;)), it MUST BE created before
starting golang execution and in a new mount point with a propagation different
to shared, even worse, to make it persistent the new namespace
(/proc/PID/ns/mnt) MUST be 'bind mounted' by a process that doesn't know of the
existence of it. To get more information about this, see
github.com/karelzak/util-linux/commit/c84f2590dfdb8570beeb731e0105f8fe597443d1
With these new functions now is possible to join, create, remove and make
persistent namespaces. Next diagram can help us to understand how it works.
fixes #160
Depends-on: github.com/kata-containers/tests#946
Signed-off-by: Julio Montes julio.montes@intel.com