Skip to content

cniprovider: support rootlesskit --detach-netns (RootlessKit v2) #4546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 18, 2024
Merged

cniprovider: support rootlesskit --detach-netns (RootlessKit v2) #4546

merged 2 commits into from
Jan 18, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jan 11, 2024
edited
Loading

RootlessKit v2 added the support for --detach-netns mode.

This leaves containerd and buildkitd in the host netns so as to:

  • Eliminate the slirp overhead for pull/push
  • Allow accessing the real localhost registry.

Since rootless users has no CAP_NET_ADMIN in the host netns, CNI plugins have to be executed in the "detached" netns ($ROOTLESSKIT_STATE_DIR/netns) that is associated with slirp.

ref:

@AkihiroSuda AkihiroSuda added the area/rootless rootless mode label Jan 11, 2024
@AkihiroSuda AkihiroSuda added this to the v0.13 milestone Jan 11, 2024
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 11, 2024
Open
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 11, 2024
Merged
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 3 times, most recently from c389b7f to 1dcd54c Compare January 17, 2024 02:03
@AkihiroSuda
Copy link
Member Author

Rebased

@AkihiroSuda
Copy link
Member Author

@tonistiigi Can we have a new beta after merging this?

@AkihiroSuda
cniprovider: support rootlesskit --detach-netns (RootlessKit v2)
b2a2abf 
RootlessKit v2 added the support for `--detach-netns` mode.

This leaves containerd and buildkitd in the host netns so as to:
- Eliminate the slirp overhead for pull/push
- Allow accessing the real localhost registry.

Since rootless users has no `CAP_NET_ADMIN` in the host netns,
CNI plugins have to be executed in the "detached" netns (`$ROOTLESSKIT_STATE_DIR/netns`)
that is associated with slirp.

ref:
- rootless-containers/rootlesskit PR 379
- containerd/nerdctl PR 2723

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
CI: add oci-rootless-slirp4netns-detachnetns
d844974 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Member Author

Rebased

@tonistiigi tonistiigi merged commit 016b559 into moby:master Jan 18, 2024
@jedevc jedevc mentioned this pull request Jan 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
area/rootless rootless mode
Projects
None yet
Milestone
v0.13.0
Development

Successfully merging this pull request may close these issues.
3 participants
@AkihiroSuda @tonistiigi @jedevc