1. docker
  2. Commit 0046b16d87105d334b72f5e98efd28bbd94d9659
Browse code

daemon: set libnetwork sandbox key w/o OCI hook

Signed-off-by: Cory Snider <csnider@mirantis.com>

Cory Snider authored on 2022/11/02 04:21:37
Showing 6 changed files
daemon/oci_linux.go
History View file @ 0046b16
... ... 
@@ -23,7 +23,6 @@ import (
23 23 
 	"github.com/docker/docker/oci/caps"
24 24 
 	"github.com/docker/docker/pkg/idtools"
25 25 
 	"github.com/docker/docker/pkg/rootless/specconv"
26 
-	"github.com/docker/docker/pkg/stringid"
27 26 
 	volumemounts "github.com/docker/docker/volume/mounts"
28 27 
 	"github.com/moby/sys/mount"
29 28 
 	"github.com/moby/sys/mountinfo"
... ... 
@@ -61,28 +60,6 @@ func withRlimits(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Contain
61 61 
 	}
62 62 
 }
63 63
64 
-// withLibnetwork sets the libnetwork hook
65 
-func withLibnetwork(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Container) coci.SpecOpts {
66 
-	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
67 
-		if c.Config.NetworkDisabled {
68 
-			return nil
69 
-		}
70 
-		for _, ns := range s.Linux.Namespaces {
71 
-			if ns.Type == specs.NetworkNamespace && ns.Path == "" {
72 
-				if s.Hooks == nil {
73 
-					s.Hooks = &specs.Hooks{}
74 
-				}
75 
-				shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
76 
-				s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
77 
-					Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
78 
-					Args: []string{"libnetwork-setkey", "-exec-root=" + daemonCfg.GetExecRoot(), c.ID, shortNetCtlrID},
79 
-				})
80 
-			}
81 
-		}
82 
-		return nil
83 
-	}
84 
-}
85 
-
86 64 
 // withRootless sets the spec to the rootless configuration
87 65 
 func withRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts {
88 66 
 	return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
... ... 
@@ -1070,7 +1047,6 @@ func (daemon *Daemon) createSpec(ctx context.Context, daemonCfg *configStore, c
1070 1070 
 		WithCapabilities(c),
1071 1071 
 		WithSeccomp(daemon, c),
1072 1072 
 		withMounts(daemon, daemonCfg, c, mounts),
1073 
-		withLibnetwork(daemon, &daemonCfg.Config, c),
1074 1073 
 		WithApparmor(c),
1075 1074 
 		WithSelinux(c),
1076 1075 
 		WithOOMScore(&c.HostConfig.OomScoreAdj),
daemon/start.go
History View file @ 0046b16
... ... 
@@ -236,6 +236,10 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
236 236 
 		}
237 237 
 	}()
238 238
239 
+	if err := daemon.initializeCreatedTask(ctx, tsk, container, spec); err != nil {
240 
+		return err
241 
+	}
242 
+
239 243 
 	if err := tsk.Start(context.TODO()); err != nil { // passing ctx caused integration tests to be stuck in the cleanup phase
240 244 
 		return setExitCodeFromError(container.SetExitCode, err)
241 245 
 	}
daemon/start_linux.go
History View file @ 0046b16
242 246 
new file mode 100644
... ... 
@@ -0,0 +1,31 @@
0 
+package daemon // import "github.com/docker/docker/daemon"
1 
+
2 
+import (
3 
+	"context"
4 
+	"fmt"
5 
+
6 
+	specs "github.com/opencontainers/runtime-spec/specs-go"
7 
+
8 
+	"github.com/docker/docker/container"
9 
+	"github.com/docker/docker/errdefs"
10 
+	"github.com/docker/docker/libcontainerd/types"
11 
+	"github.com/docker/docker/oci"
12 
+)
13 
+
14 
+// initializeCreatedTask performs any initialization that needs to be done to
15 
+// prepare a freshly-created task to be started.
16 
+func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task, container *container.Container, spec *specs.Spec) error {
17 
+	if !container.Config.NetworkDisabled {
18 
+		nspath, ok := oci.NamespacePath(spec, specs.NetworkNamespace)
19 
+		if ok && nspath == "" { // the runtime has been instructed to create a new network namespace for tsk.
20 
+			sb, err := daemon.netController.GetSandbox(container.ID)
21 
+			if err != nil {
22 
+				return errdefs.System(err)
23 
+			}
24 
+			if err := sb.SetKey(fmt.Sprintf("/proc/%d/ns/net", tsk.Pid())); err != nil {
25 
+				return errdefs.System(err)
26 
+			}
27 
+		}
28 
+	}
29 
+	return nil
30 
+}
daemon/start_notlinux.go
History View file @ 0046b16
0 31 
new file mode 100644
... ... 
@@ -0,0 +1,17 @@
0 
+//go:build !linux
1 
+
2 
+package daemon // import "github.com/docker/docker/daemon"
3 
+
4 
+import (
5 
+	"context"
6 
+
7 
+	"github.com/docker/docker/container"
8 
+	"github.com/docker/docker/libcontainerd/types"
9 
+	specs "github.com/opencontainers/runtime-spec/specs-go"
10 
+)
11 
+
12 
+// initializeCreatedTask performs any initialization that needs to be done to
13 
+// prepare a freshly-created task to be started.
14 
+func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task, container *container.Container, spec *specs.Spec) error {
15 
+	return nil
16 
+}
libnetwork/osl/namespace_linux.go
History View file @ 0046b16
... ... 
@@ -226,7 +226,11 @@ func NewSandbox(key string, osCreate, isRestore bool) (*Namespace, error) {
226 226 
 }
227 227
228 228 
 func mountNetworkNamespace(basePath string, lnPath string) error {
229 
-	return syscall.Mount(basePath, lnPath, "bind", syscall.MS_BIND, "")
229 
+	err := syscall.Mount(basePath, lnPath, "bind", syscall.MS_BIND, "")
230 
+	if err != nil {
231 
+		return fmt.Errorf("bind-mount %s -> %s: %w", basePath, lnPath, err)
232 
+	}
233 
+	return nil
230 234 
 }
231 235
232 236 
 // GetSandboxForExternalKey returns sandbox object for the supplied path
oci/namespaces.go
History View file @ 0046b16
... ... 
@@ -14,3 +14,14 @@ func RemoveNamespace(s *specs.Spec, nsType specs.LinuxNamespaceType) {
14 14 
 		}
15 15 
 	}
16 16 
 }
17 
+
18 
+// NamespacePath returns the configured Path of the first namespace in
19 
+// s.Linux.Namespaces of type nsType.
20 
+func NamespacePath(s *specs.Spec, nsType specs.LinuxNamespaceType) (path string, ok bool) {
21 
+	for _, n := range s.Linux.Namespaces {
22 
+		if n.Type == nsType {
23 
+			return n.Path, true
24 
+		}
25 
+	}
26 
+	return "", false
27 
+}