Enable other containers to join network namespace of the none network #3443
Conversation
Signed-off-by: Shubharanshu Mahapatra <[email protected]>
Yes if it works with Docker. Needs an integration test. |
| if err != nil { | ||
| return nil, nil, err | ||
| } | ||
| copyFileContent("/etc/hosts", etcHostsPath) |
There was a problem hiding this comment.
/etc/hosts content has already been written on line 202.
| } | ||
|
|
||
| resolvConfPath := filepath.Join(stateDir, "resolv.conf") | ||
| copyFileContent("/etc/resolv.conf", resolvConfPath) |
There was a problem hiding this comment.
That would make containers using none to now use the host resolv.conf, right?
This does not seem right.
There was a problem hiding this comment.
checked with docker and they have it for none, personally i dont think it should be part of none, but if it is not attaching to a none network namespace (custom use cases) seems to throw error.
There was a problem hiding this comment.
It does not look like they have it here...
docker run --net none debian cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 192.168.5.2
search .
# Based on host file: '/run/systemd/resolve/resolv.conf' (legacy)
# Overrides: []
vs.
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
There was a problem hiding this comment.
this is my output (docker 25)
docker run --network none alpine:latest cat /etc/resolv.conf
<redacted>
nameserver 10.4.4.10
options timeout:1 attempts:2
sudo docker run --network none alpine:latest cat /etc/hostname
9d25f3a65441
There was a problem hiding this comment.
to be fair i tested in another system i got same as yours too, so not sure which one is correct, but for some system is taking from /run/systemd/resolv/resolv.conf?
There was a problem hiding this comment.
It likely does not matter much, since there will be no network anyhow. Concern here is more about information leakage.
I would suggest we either leave it empty or mimic the behavior of cniNetworkManager
There was a problem hiding this comment.
not sure if information leak is a concern in network none, if one can ssh from host they have access to /etc/resolv.conf of the host anyway.
I like the idea of mimicing the behavior of cniNetworkManager, that seems to take into account adding host, dns etc.
while we are on the topic, if we use --network container:containerd id with
nameServers = m.netOpts.DNSServers
searchDomains = m.netOpts.DNSSearchDomains
dnsOptions = m.netOpts.DNSResolvConfOptions
dont we want to add them to the resolv.conf, similarly if --network host with these options, not sure they are getting added
[shubhum@lima-finch nerdctl]$ sudo nerdctl run --network host --hostname default --dns test --dns-search testname alpine:latest cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search ant.amazon.com amazon.com
| return nil, nil, err | ||
| } | ||
|
|
||
| etcHostsPath, err := hs.AllocHostsFile(containerID, content) |
There was a problem hiding this comment.
Same comment as above. It does not seem like none should have the host /etc/hosts content...
Fixes: Unable to attach to container network created with none
Description
There is a use case with pause containers, where other containers attaches to the pause container network. The pause container is launched with network none. This requires the pause container have a copy of hosts, hostname and resolv conf.
It also seems to share a net namespace, the containers must also share a user namespace.
The solution is to have a copy of the hosts/hostname and resolv.conf. In case of container network, add userns and netns both.
Want to confirm is this an acceptable solution and i can send out an PR for it.
Steps to reproduce the issue
Describe the results you received and expected
It would display errors with resolv.conf not found and once those configs are added would see an error with sys fs.
Expected result is to be able to connect to the network of pause container.
What version of nerdctl are you using?
1.7.5
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
lima vm (fedora image), but can be reproduced in any architecture.