mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
Re-remove the SetKey OCI prestart hook
Second attempt to stop using the OCI prestart hook to call SetKey to set up the OS Sandbox's key and perform network config in the new network namespace. The first attempt was reverted because it made it impossible to use --sysctl to set per-interface sysctls on an interface that had not yet been moved into the new network namespace. Now, per-interface sysctls can be used to do that (with less ambiguity because the setting is not tied to the interface using an unpredictably assigned name). Signed-off-by: Rob Murray <rob.murray@docker.com>
This commit is contained in:
Rob Murray
@@ -17,13 +17,11 @@ import (
|
||||
"github.com/docker/docker/container"
|
||||
dconfig "github.com/docker/docker/daemon/config"
|
||||
"github.com/docker/docker/errdefs"
|
||||
"github.com/docker/docker/internal/otelutil"
|
||||
"github.com/docker/docker/internal/rootless/mountopts"
|
||||
"github.com/docker/docker/internal/rootless/specconv"
|
||||
"github.com/docker/docker/oci"
|
||||
"github.com/docker/docker/oci/caps"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
volumemounts "github.com/docker/docker/volume/mounts"
|
||||
"github.com/moby/sys/mount"
|
||||
"github.com/moby/sys/mountinfo"
|
||||
@@ -32,7 +30,6 @@ import (
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/pkg/errors"
|
||||
"go.opentelemetry.io/otel"
|
||||
)
|
||||
|
||||
const inContainerInitPath = "/sbin/" + dconfig.DefaultInitBinary
|
||||
@@ -62,33 +59,6 @@ func withRlimits(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Contain
|
||||
}
|
||||
}
|
||||
|
||||
// withLibnetwork sets the libnetwork hook
|
||||
func withLibnetwork(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Container) coci.SpecOpts {
|
||||
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||
if c.Config.NetworkDisabled {
|
||||
return nil
|
||||
}
|
||||
for _, ns := range s.Linux.Namespaces {
|
||||
if ns.Type == specs.NetworkNamespace && ns.Path == "" {
|
||||
if s.Hooks == nil {
|
||||
s.Hooks = &specs.Hooks{}
|
||||
}
|
||||
shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
|
||||
|
||||
var carrier otelutil.EnvironCarrier
|
||||
otel.GetTextMapPropagator().Inject(ctx, &carrier)
|
||||
|
||||
s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one.
|
||||
Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
|
||||
Env: carrier.Environ(),
|
||||
Args: []string{"libnetwork-setkey", "-exec-root=" + daemonCfg.GetExecRoot(), c.ID, shortNetCtlrID},
|
||||
})
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// withRootless sets the spec to the rootless configuration
|
||||
func withRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts {
|
||||
return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||
@@ -1038,7 +1008,6 @@ func (daemon *Daemon) createSpec(ctx context.Context, daemonCfg *configStore, c
|
||||
WithCapabilities(c),
|
||||
WithSeccomp(daemon, c),
|
||||
withMounts(daemon, daemonCfg, c, mounts),
|
||||
withLibnetwork(daemon, &daemonCfg.Config, c),
|
||||
WithApparmor(c),
|
||||
WithSelinux(c),
|
||||
WithOOMScore(&c.HostConfig.OomScoreAdj),
|
||||
|
||||
@@ -2,6 +2,7 @@ package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/errdefs"
|
||||
@@ -24,7 +25,9 @@ func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task,
|
||||
if err != nil {
|
||||
return errdefs.System(err)
|
||||
}
|
||||
return sb.FinishConfig(ctx)
|
||||
if err := sb.SetKey(ctx, fmt.Sprintf("/proc/%d/ns/net", tsk.Pid())); err != nil {
|
||||
return errdefs.System(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
||||
@@ -96,8 +96,12 @@ func (sb *Sandbox) updateGateway(ep *Endpoint) error {
|
||||
return fmt.Errorf("failed to set gateway while updating gateway: %v", err)
|
||||
}
|
||||
|
||||
if err := osSbox.SetGatewayIPv6(joinInfo.gw6); err != nil {
|
||||
return fmt.Errorf("failed to set IPv6 gateway while updating gateway: %v", err)
|
||||
// If IPv6 has been disabled in the sandbox a gateway may still have been
|
||||
// configured, don't attempt to apply it.
|
||||
if ipv6, _ := sb.ipv6Enabled(); ipv6 {
|
||||
if err := osSbox.SetGatewayIPv6(joinInfo.gw6); err != nil {
|
||||
return fmt.Errorf("failed to set IPv6 gateway while updating gateway: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -164,10 +168,8 @@ func (sb *Sandbox) SetKey(ctx context.Context, basePath string) error {
|
||||
}
|
||||
}
|
||||
|
||||
// Set up hosts and resolv.conf files. IPv6 support in the container can't be
|
||||
// determined yet, as sysctls haven't been applied by the runtime. Calling
|
||||
// FinishInit after the container task has been created, when sysctls have been
|
||||
// applied will regenerate these files.
|
||||
// Set up hosts and resolv.conf files.
|
||||
osSbox.RefreshIPv6LoEnabled()
|
||||
if err := sb.finishInitDNS(ctx); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -181,27 +183,6 @@ func (sb *Sandbox) SetKey(ctx context.Context, basePath string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// FinishConfig completes Sandbox configuration. If called after the container task has been
|
||||
// created, and sysctl settings applied, the configuration will be based on the container's
|
||||
// IPv6 support.
|
||||
func (sb *Sandbox) FinishConfig(ctx context.Context) error {
|
||||
if sb.config.useDefaultSandBox {
|
||||
return nil
|
||||
}
|
||||
|
||||
sb.mu.Lock()
|
||||
osSbox := sb.osSbox
|
||||
sb.mu.Unlock()
|
||||
if osSbox == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
// If sysctl changes have been made, IPv6 may have been enabled/disabled since last checked.
|
||||
osSbox.RefreshIPv6LoEnabled()
|
||||
|
||||
return sb.finishInitDNS(ctx)
|
||||
}
|
||||
|
||||
// IPv6 support can always be determined for host networking. For other network
|
||||
// types it can only be determined once there's a container namespace to probe,
|
||||
// return ok=false in that case.
|
||||
@@ -314,7 +295,12 @@ func (sb *Sandbox) populateNetworkResources(ctx context.Context, ep *Endpoint) e
|
||||
|
||||
ifaceOptions = append(ifaceOptions, osl.WithIPv4Address(i.addr), osl.WithRoutes(i.routes))
|
||||
if i.addrv6 != nil && i.addrv6.IP.To16() != nil {
|
||||
ifaceOptions = append(ifaceOptions, osl.WithIPv6Address(i.addrv6))
|
||||
// If IPv6 has been disabled in the Sandbox, an IPv6 address will still have
|
||||
// been allocated. Don't apply it, because doing so would enable IPv6 on the
|
||||
// interface.
|
||||
if ipv6, ok := sb.ipv6Enabled(); !ok || ipv6 {
|
||||
ifaceOptions = append(ifaceOptions, osl.WithIPv6Address(i.addrv6))
|
||||
}
|
||||
}
|
||||
if len(i.llAddrs) != 0 {
|
||||
ifaceOptions = append(ifaceOptions, osl.WithLinkLocalAddresses(i.llAddrs))
|
||||
|
||||
Reference in New Issue
Block a user