Creating a network bridge?

[stuartpb]

How can I spawn a container with runc that has its own network bridge a la Docker? Is there a specific script I can use?

[LK4D4]

@stuartpb There is no script. You can easily do this with iproute2 though.

[stuartpb]

Okay - what would such a script look like?

[wking]

On Fri, Aug 14, 2015 at 09:49:53AM -0700, Stuart P. Bentley wrote:

Okay - what would such a script look like?

On the Open Containers list an hour ago, I suggested we post an
example of this somewhere 1. I think the example hook should go in
a opencontainers/specs subdirectory, where we can collect best
practices for this sort of common use case. That would also provide
fodder for testing implementations for conformance.

 Message-ID: <20150814165327.GD15575@odin.tremily.us>

[stuartpb]

On the Open Containers list an hour ago, I suggested we post an
example of this somewhere [1]. I think the example hook should go in
a opencontainers/specs subdirectory, where we can collect best
practices for this sort of common use case. That would also provide
fodder for testing implementations for conformance.

This sounds great - I'd do it as a whole new opencontainers/best-practices repo.

[mikedanese]

For inspiration I would suggest checking out https://github.com/p8952/bocker/blob/master/bocker#L61

[mrunalp]

A pre-start hook like in #160 could be used to manipulate the network namespace to insert interfaces like in the script @mikedanese pointed above.

[crosbymichael]

The hook system will support you in adding networking to your containers. There are a few projects like https://github.com/jfrazelle/netns that do this. You can also provide a different network namespace for the container to do this but I think hooks are where most ppl are going today for network configuration in containers.

[CarltonSemple]

@crosbymichael I'm having trouble accessing the internet from inside the container. I tried the netns hook, but it seems to just add eth0.

My config.json is

{
	"ociVersion": "1.0.0-rc2-dev",
	"platform": {
		"os": "linux",
		"arch": "amd64"
	},
	"process": {
		"terminal": true,
		"consoleSize": {
			"height": 0,
			"width": 0
		},
		"user": {
			"uid": 0,
			"gid": 0
		},
		"args": [
			"sh"
		],
		"env": [
			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
			"TERM=xterm"
		],
		"cwd": "/",
		"capabilities": [
			"CAP_AUDIT_WRITE",
			"CAP_KILL",
			"CAP_NET_BIND_SERVICE"
		],
		"rlimits": [
			{
				"type": "RLIMIT_NOFILE",
				"hard": 1024,
				"soft": 1024
			}
		],
		"noNewPrivileges": true
	},
	"root": {
		"path": "rootfs",
		"readonly": false
	},
	"hostname": "runc",
	"mounts": [
		{
			"destination": "/proc",
			"type": "proc",
			"source": "proc"
		},
		{
			"destination": "/dev",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"strictatime",
				"mode=755",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/pts",
			"type": "devpts",
			"source": "devpts",
			"options": [
				"nosuid",
				"noexec",
				"newinstance",
				"ptmxmode=0666",
				"mode=0620",
				"gid=5"
			]
		},
		{
			"destination": "/sys",
			"type": "sysfs",
			"source": "sysfs",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"ro"
			]
		},
		{
			"destination": "/sys/fs/cgroup",
			"type": "cgroup",
			"source": "cgroup",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"relatime",
				"ro"
			]
		}
	],
	"hooks": {
		"prestart": [
		{
			"path": "/root/runcstuff/netns"
		}
		]
	},
	"linux": {
		"resources": {
			"disableOOMKiller": false,
			"devices": [
				{
					"allow": false,
					"access": "rwm"
				}
			]
		},
		"namespaces": [
			{
				"type": "pid"
			},
			{
				"type": "ipc"
			},
			{
				"type": "uts"
			},
			{
				"type": "mount"
			},
			{
                		"type": "network"
            		}
		]
	}
}

[alexellis]

@CarltonSemple how did you get on with this? I found netns had a bug where it said it was supposed to write to a bolt.db but never created this - it created a bridge but then "netns list" was throwing an error.. the repo has no way to create issues. 😕

[lifubang]

@alexellis I have fixed this issue two months ago, but there is no new release up until now.
You can see genuinetools/netns#9
I think you can pull netns code and compile it or wait the new release.

[alexellis]

That's good to know, thank you 👍 Do you use netns via a runc prestart/poststop hook or in some other way? I can barely find any documentation in containerd or netns for how to (create and attach) networks.

Related question: I was searching the containerd codebase and rather terse docs on how to set a pre-start hook but can't find anything there. Do you have any suggestions on how to pragmatically configure the spec with containerd? Basically I'd like to have a pre-start hook to create the ns and then have the spec also bind to that.

[lifubang]

@alexellis How about https://github.com/containerd/containerd/blob/master/container_test.go#L1519

[sfc-gh-cxie]

@alexellis Did you successfully use netns to create a network namespace in the container, I have a hook in prestart but it create the namespace in host, basically, it's runtime namespace but not container namespace