Fix handling of Linux network namespaces

The CNI plugins upstream removed their network namespace creation
code, making it a test package only. Copy it into our repository
and slightly modify it for our use (most notably, use MNT_DETACH
when unmounting namespaces).

This new CNI code splits closing and unmounting network
namespaces, which allows us to greatly reduce the number of
occasions on which we call teardownNetwork() and make more errors
in that function fatal instead of warnings. Instead, we can call
Close() and just close the open file descriptor in cases where
the namespace has already been cleaned up.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1165
Approved by: baude

1 files changed, 8 insertions, 6 deletions

diff --git a/libpod/container_linux.go b/libpod/container_linux.go
index 2330f27a7..1b1b3a1d9 100644
--- a/libpod/container_linux.go
+++ b/libpod/container_linux.go
@@ -21,9 +21,10 @@ func (ctr *Container) setNamespace(netNSPath string, newState *containerState) e
 		if ctr.state.NetNS != nil && netNSPath == ctr.state.NetNS.Path() {
 			newState.NetNS = ctr.state.NetNS
 		} else {
-			// Tear down the existing namespace
-			if err := ctr.runtime.teardownNetNS(ctr); err != nil {
-				logrus.Warnf(err.Error())
+			// Close the existing namespace.
+			// Whoever removed it from the database already tore it down.
+			if err := ctr.runtime.closeNetNS(ctr); err != nil {
+				return err
 			}
 
 			// Open the new network namespace
@@ -37,9 +38,10 @@ func (ctr *Container) setNamespace(netNSPath string, newState *containerState) e
 		}
 	} else {
 		// The container no longer has a network namespace
-		// Tear down the old one
-		if err := ctr.runtime.teardownNetNS(ctr); err != nil {
-			logrus.Warnf(err.Error())
+		// Close the old one, whoever removed it from the DB should have
+		// cleaned it up already.
+		if err := ctr.runtime.closeNetNS(ctr); err != nil {
+			return err
 		}
 	}
 	return nil