diff options
| author | Paul Holzinger <paul.holzinger@web.de> | 2021-02-18 13:51:27 +0100 |
|---|---|---|
| committer | Paul Holzinger <paul.holzinger@web.de> | 2021-04-01 17:27:03 +0200 |
| commit | 54b588c07d05858c9bbc523eeff0badb85d53f76 (patch) | |
| tree | 5777cc6f9856b71151e2e333dd9ad716c45df661 /libpod/container_internal_linux.go | |
| parent | 8b599c51268dc141bd963d8b5d3f25feadfcbb0e (diff) | |
| download | podman-54b588c07d05858c9bbc523eeff0badb85d53f76.tar.gz podman-54b588c07d05858c9bbc523eeff0badb85d53f76.tar.bz2 podman-54b588c07d05858c9bbc523eeff0badb85d53f76.zip | |
rootless cni without infra container
Instead of creating an extra container create a network and mount
namespace inside the podman user namespace. This ns is used to
for rootless cni operations.
This helps to align the rootless and rootful network code path.
If we run as rootless we just have to set up a extra net ns and
initialize slirp4netns in it. The ocicni lib will be called in
that net ns.
This design allows allows easier maintenance, no extra container
with pause processes, support for rootless cni with --uidmap
and possibly more.
The biggest problem is backwards compatibility. I don't think
live migration can be possible. If the user reboots or restart
all cni containers everything should work as expected again.
The user is left with the rootless-cni-infa container and image
but this can safely be removed.
To make the existing cni configs work we need execute the cni plugins
in a extra mount namespace. This ensures that we can safely mount over
/run and /var which have to be writeable for the cni plugins without
removing access to these files by the main podman process. One caveat
is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns`
accessible.
`XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`.
To ensure that we keep the netns directory we bind mount this relative
to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns
before we mount the run directory. The run directory is mounted recursive,
this makes the netns directory at the same path accessible as before.
This also allows iptables-legacy to work because /run/xtables.lock is
now writeable.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Diffstat (limited to 'libpod/container_internal_linux.go')
| -rw-r--r-- | libpod/container_internal_linux.go | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index a136fb72d..d167bf188 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -92,11 +92,7 @@ func (c *Container) prepare() error { // Set up network namespace if not already set up noNetNS := c.state.NetNS == nil if c.config.CreateNetNS && noNetNS && !c.config.PostConfigureNetNS { - if rootless.IsRootless() && len(c.config.Networks) > 0 { - netNS, networkStatus, createNetNSErr = AllocRootlessCNI(context.Background(), c) - } else { - netNS, networkStatus, createNetNSErr = c.runtime.createNetNS(c) - } + netNS, networkStatus, createNetNSErr = c.runtime.createNetNS(c) if createNetNSErr != nil { return } |