summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_linux.go14
-rw-r--r--libpod/networking_linux.go46
2 files changed, 37 insertions, 23 deletions
diff --git a/libpod/container_linux.go b/libpod/container_linux.go
index 2330f27a7..1b1b3a1d9 100644
--- a/libpod/container_linux.go
+++ b/libpod/container_linux.go
@@ -21,9 +21,10 @@ func (ctr *Container) setNamespace(netNSPath string, newState *containerState) e
if ctr.state.NetNS != nil && netNSPath == ctr.state.NetNS.Path() {
newState.NetNS = ctr.state.NetNS
} else {
- // Tear down the existing namespace
- if err := ctr.runtime.teardownNetNS(ctr); err != nil {
- logrus.Warnf(err.Error())
+ // Close the existing namespace.
+ // Whoever removed it from the database already tore it down.
+ if err := ctr.runtime.closeNetNS(ctr); err != nil {
+ return err
}
// Open the new network namespace
@@ -37,9 +38,10 @@ func (ctr *Container) setNamespace(netNSPath string, newState *containerState) e
}
} else {
// The container no longer has a network namespace
- // Tear down the old one
- if err := ctr.runtime.teardownNetNS(ctr); err != nil {
- logrus.Warnf(err.Error())
+ // Close the old one, whoever removed it from the DB should have
+ // cleaned it up already.
+ if err := ctr.runtime.closeNetNS(ctr); err != nil {
+ return err
}
}
return nil
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index d9eb87572..dbc68e04b 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -9,13 +9,13 @@ import (
"path/filepath"
"strconv"
"strings"
- "syscall"
cnitypes "github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/pkg/inspect"
+ "github.com/projectatomic/libpod/pkg/netns"
"github.com/projectatomic/libpod/utils"
"github.com/sirupsen/logrus"
"github.com/vishvananda/netlink"
@@ -77,7 +77,7 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) (err error) {
// Create and configure a new network namespace for a container
func (r *Runtime) createNetNS(ctr *Container) (err error) {
- ctrNS, err := ns.NewNS()
+ ctrNS, err := netns.NewNS()
if err != nil {
return errors.Wrapf(err, "error creating network namespace for container %s", ctr.ID())
}
@@ -148,7 +148,27 @@ func joinNetNS(path string) (ns.NetNS, error) {
return ns, nil
}
-// Tear down a network namespace
+// Close a network namespace.
+// Differs from teardownNetNS() in that it will not attempt to undo the setup of
+// the namespace, but will instead only close the open file descriptor
+func (r *Runtime) closeNetNS(ctr *Container) error {
+ if ctr.state.NetNS == nil {
+ // The container has no network namespace, we're set
+ return nil
+ }
+
+ if err := ctr.state.NetNS.Close(); err != nil {
+ return errors.Wrapf(err, "error closing network namespace for container %s", ctr.ID())
+ }
+
+ ctr.state.NetNS = nil
+
+ return nil
+}
+
+// Tear down a network namespace, undoing all state associated with it.
+// The CNI firewall rules will be removed, the namespace will be unmounted,
+// and the file descriptor associated with it closed.
func (r *Runtime) teardownNetNS(ctr *Container) error {
if ctr.state.NetNS == nil {
// The container has no network namespace, we're set
@@ -173,27 +193,19 @@ func (r *Runtime) teardownNetNS(ctr *Container) error {
// The network may have already been torn down, so don't fail here, just log
if err := r.netPlugin.TearDownPod(podNetwork); err != nil {
- logrus.Errorf("Failed to tear down network namespace for container %s: %v", ctr.ID(), err)
+ return errors.Wrapf(err, "error tearing down CNI namespace configuration for container %s", ctr.ID())
}
- nsPath := ctr.state.NetNS.Path()
+ // First unmount the namespace
+ if err := netns.UnmountNS(ctr.state.NetNS); err != nil {
+ return errors.Wrapf(err, "error unmounting network namespace for container %s", ctr.ID())
+ }
+ // Now close the open file descriptor
if err := ctr.state.NetNS.Close(); err != nil {
return errors.Wrapf(err, "error closing network namespace for container %s", ctr.ID())
}
- // We need to unconditionally try to unmount/remove the namespace
- // because we may be in a separate process from the one that created the
- // namespace, and Close() will only do that if it is the same process.
- if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil {
- if err != syscall.EINVAL && err != syscall.ENOENT {
- return errors.Wrapf(err, "error unmounting network namespace %s for container %s", nsPath, ctr.ID())
- }
- }
- if err := os.RemoveAll(nsPath); err != nil && !os.IsNotExist(err) {
- return errors.Wrapf(err, "error removing network namespace %s for container %s", nsPath, ctr.ID())
- }
-
ctr.state.NetNS = nil
return nil