diff options
author | Paul Holzinger <pholzing@redhat.com> | 2021-11-18 15:18:18 +0100 |
---|---|---|
committer | Paul Holzinger <pholzing@redhat.com> | 2021-11-18 17:34:06 +0100 |
commit | 62d6b6bf74e2d9be340ee2aaab02d7c54e42535e (patch) | |
tree | 030b3d6d0752e959aef567caa0c4b38eb0399e6d | |
parent | 9b964945d661d4f97b4a97f2f67d33f9dcd11e50 (diff) | |
download | podman-62d6b6bf74e2d9be340ee2aaab02d7c54e42535e.tar.gz podman-62d6b6bf74e2d9be340ee2aaab02d7c54e42535e.tar.bz2 podman-62d6b6bf74e2d9be340ee2aaab02d7c54e42535e.zip |
rootless netns, one netns per libpod tmp dir
The netns cleanup code is checking if there are running containers, this
can fail if you run several libpod instances with diffrent root/runroot.
To fix it we use one netns for each libpod instances. To prevent name
conflicts we use a hash from the static dir as part of the name.
Previously this worked because we would use the CNI files to check if
the netns was still in use. but this is no longer possible with netavark.
[NO NEW TESTS NEEDED]
Fixes #12306
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
-rw-r--r-- | libpod/networking_linux.go | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 9be600bb4..314a74427 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -4,6 +4,7 @@ package libpod import ( "crypto/rand" + "crypto/sha1" "fmt" "io/ioutil" "net" @@ -400,10 +401,7 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) { return nil, nil } var rootlessNetNS *RootlessNetNS - runDir, err := util.GetRuntimeDir() - if err != nil { - return nil, err - } + runDir := r.config.Engine.TmpDir lfile := filepath.Join(runDir, "rootless-netns.lock") lock, err := lockfile.GetLockfile(lfile) @@ -429,7 +427,15 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) { if err != nil { return nil, err } - path := filepath.Join(nsDir, rootlessNetNsName) + + // create a hash from the static dir + // the cleanup will check if there are running containers + // if you run a several libpod instances with different root/runroot directories this check will fail + // we want one netns for each libpod static dir so we use the hash to prevent name collisions + hash := sha1.Sum([]byte(r.config.Engine.StaticDir)) + netnsName := fmt.Sprintf("%s-%x", rootlessNetNsName, hash[:10]) + + path := filepath.Join(nsDir, netnsName) ns, err := ns.GetNS(path) if err != nil { if !new { @@ -437,8 +443,8 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) { return nil, errors.Wrap(err, "error getting rootless network namespace") } // create a new namespace - logrus.Debug("creating rootless network namespace") - ns, err = netns.NewNSWithName(rootlessNetNsName) + logrus.Debugf("creating rootless network namespace with name %q", netnsName) + ns, err = netns.NewNSWithName(netnsName) if err != nil { return nil, errors.Wrap(err, "error creating rootless network namespace") } |