Browse code
Revert "builder-next: Stop using libnetwork-setkey reexec for BuildKit networking"
This reverts commit 70050681f75a89c289ff685c35dc735a581e4e15.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Paweł Gronowski authored on 2026/05/12 02:21:13Showing 2 changed files
| ... | ... |
@@ -61,6 +61,7 @@ func (iface *lnInterface) init(c *libnetwork.Controller, n *libnetwork.Network) |
| 61 | 61 |
sbx, err := c.NewSandbox( |
| 62 | 62 |
context.TODO(), |
| 63 | 63 |
id, |
| 64 |
+ libnetwork.OptionUseExternalKey(), |
|
| 64 | 65 |
libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")), |
| 65 | 66 |
libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf")), |
| 66 | 67 |
) |
| ... | ... |
@@ -2,9 +2,9 @@ package buildkit |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"context" |
| 5 |
- "fmt" |
|
| 6 | 5 |
"os" |
| 7 | 6 |
"path/filepath" |
| 7 |
+ "strconv" |
|
| 8 | 8 |
|
| 9 | 9 |
"github.com/containerd/log" |
| 10 | 10 |
"github.com/moby/buildkit/executor" |
| ... | ... |
@@ -12,6 +12,7 @@ import ( |
| 12 | 12 |
"github.com/moby/buildkit/executor/runcexecutor" |
| 13 | 13 |
"github.com/moby/buildkit/solver/pb" |
| 14 | 14 |
"github.com/moby/buildkit/util/network" |
| 15 |
+ "github.com/moby/moby/v2/daemon/internal/stringid" |
|
| 15 | 16 |
"github.com/opencontainers/runtime-spec/specs-go" |
| 16 | 17 |
) |
| 17 | 18 |
|
| ... | ... |
@@ -80,30 +81,13 @@ func (iface *lnInterface) Set(s *specs.Spec) error {
|
| 80 | 80 |
log.G(context.TODO()).WithError(iface.err).Error("failed to set networking spec")
|
| 81 | 81 |
return iface.err |
| 82 | 82 |
} |
| 83 |
- nsPath, ok := iface.sbx.NetnsPath() |
|
| 84 |
- if !ok {
|
|
| 85 |
- return fmt.Errorf("buildkit sandbox %s has no network namespace", iface.sbx.ContainerID())
|
|
| 83 |
+ shortNetCtlrID := stringid.TruncateID(iface.provider.Controller.ID()) |
|
| 84 |
+ // attach netns to bridge within the container namespace, using reexec in a prestart hook |
|
| 85 |
+ s.Hooks = &specs.Hooks{
|
|
| 86 |
+ Prestart: []specs.Hook{{
|
|
| 87 |
+ Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
|
|
| 88 |
+ Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID},
|
|
| 89 |
+ }}, |
|
| 86 | 90 |
} |
| 87 |
- // Tell runc to join the daemon-owned netns instead of creating a new one. |
|
| 88 |
- // This replaces the previous approach of using a "libnetwork-setkey" reexec |
|
| 89 |
- // prestart hook that bind-mounted /proc/<pid>/ns/net after container creation. |
|
| 90 |
- return setLinuxNamespace(s, specs.LinuxNamespace{
|
|
| 91 |
- Type: specs.NetworkNamespace, |
|
| 92 |
- Path: nsPath, |
|
| 93 |
- }) |
|
| 94 |
-} |
|
| 95 |
- |
|
| 96 |
-// setLinuxNamespace sets or replaces a namespace entry in the OCI spec. |
|
| 97 |
-func setLinuxNamespace(s *specs.Spec, ns specs.LinuxNamespace) error {
|
|
| 98 |
- for i, n := range s.Linux.Namespaces {
|
|
| 99 |
- if n.Type == ns.Type {
|
|
| 100 |
- if n.Path != "" {
|
|
| 101 |
- return fmt.Errorf("network namespace already set to %s", n.Path)
|
|
| 102 |
- } |
|
| 103 |
- s.Linux.Namespaces[i] = ns |
|
| 104 |
- return nil |
|
| 105 |
- } |
|
| 106 |
- } |
|
| 107 |
- s.Linux.Namespaces = append(s.Linux.Namespaces, ns) |
|
| 108 | 91 |
return nil |
| 109 | 92 |
} |