Skip to content

[Carry 2535] rootless: support detach-netns mode#2723

Merged
AkihiroSuda merged 4 commits intocontainerd:mainfrom
AkihiroSuda:detach-netns
Jan 31, 2024
Merged

[Carry 2535] rootless: support detach-netns mode#2723
AkihiroSuda merged 4 commits intocontainerd:mainfrom
AkihiroSuda:detach-netns

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented Jan 1, 2024
edited
Loading

When RootlessKit v2.0 (rootless-containers/rootlesskit#379) is installed, containerd-rootless.sh launches it with --detach-netns so as to run the daemon in the host network namespace.

This will enable:

  • Accelerated (and deflaked) nerdctl pull, nerdctl push, nerdctl build, etc
  • Proper support for nerdctl pull 127.0.0.1:.../...
  • Proper support for nerdctl run --net=host

Replaces Fahed Dorgaa's PR #2535
Fixes #814
Fixes #86

Note

Rootless containerd recognizes the following environment variables to configure the behavior of RootlessKit:

  • ...
  • CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false): whether to launch rootlesskit with the "detach-netns" mode.
    Defaults to "auto", which is resolved to "true" if RootlessKit >= 2.0 is installed.
    The "detached-netns" mode accelerates nerdctl (pull|push|build) and enables nerdctl run --net=host,
    however, there is a relatively minor drawback with BuildKit prior to v0.13:
    the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during nerdctl build (not nerdctl run).
    The drawback is fixed in BuildKit v0.13. Upgrading from a prior version of BuildKit needs removing the old systemd unit:
    containerd-rootless-setuptool.sh uninstall-buildkit && rm -f ~/.config/buildkit/buildkitd.toml

To set these variables, create ~/.config/systemd/user/containerd.service.d/override.conf as follows:

[Service]
Environment=CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS="false"

And then run the following commands:

systemctl --user daemon-reload
systemctl --user restart containerd

https://github.com/containerd/nerdctl/blob/main/docs/rootless.md

@AkihiroSuda AkihiroSuda added this to the v1.8, maybe v2.0 milestone Jan 1, 2024
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 1, 2024
Closed
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 3 times, most recently from 752703f to 5119337 Compare January 1, 2024 02:54
@AkihiroSuda

This comment was marked as resolved.

Sign in to view
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 2 times, most recently from b0df933 to 18acfa9 Compare January 2, 2024 00:35
@AkihiroSuda

This comment was marked as resolved.

Sign in to view
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 3 times, most recently from 79513ca to fd56c62 Compare January 4, 2024 06:15
@AkihiroSuda

This comment was marked as resolved.

Sign in to view
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 2 times, most recently from 3d57868 to fd2ed9c Compare January 4, 2024 07:30
AkihiroSuda
AkihiroSuda commented Jan 4, 2024
View reviewed changes
Comment thread extras/rootless/containerd-rootless.sh Outdated
# The "detached-netns" mode accelerates `nerdctl (pull|push|build)` and enables `nerdctl run --net=host`,
# however, there is a relatively minor drawback with the current version of BuildKit:
# the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during `nerdctl build` (not `nerdctl run`).
# If you want to hide 127.0.0.1 from "RUN" instructions, you should set CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS to "false".
Copy link
Copy Markdown
Member Author

@AkihiroSuda AkihiroSuda Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@containerd/nerdctl-maintainers

This is kinda breaking change.
Let me know we should release this as "nerdctl v2.0" (ahead of containerd v2.0), or we can just stick to "nerdctl v1.8".
I'm leaning toward to the former one.

Copy link
Copy Markdown
Member

@ktock ktock Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nerdctl v2.0

SGTM

Copy link
Copy Markdown
Member

@fahedouch fahedouch Jan 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nerdctl v2.0

SGTM

@AkihiroSuda AkihiroSuda modified the milestones: v2.0.1, v2.0.0 (tentative) Jan 4, 2024
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 4, 2024
Closed
@AkihiroSuda AkihiroSuda marked this pull request as ready for review January 4, 2024 08:31
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 5, 2024
Closed
@AkihiroSuda AkihiroSuda requested a review from fahedouch January 8, 2024 09:51
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 11, 2024
Merged
@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 3 times, most recently from cebf66f to 5d31647 Compare January 15, 2024 01:38
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 15, 2024
Merged
@AkihiroSuda AkihiroSuda requested review from a team January 17, 2024 23:52
fahedouch
fahedouch reviewed Jan 18, 2024
View reviewed changes
Comment thread docs/rootless.md Outdated
Comment thread extras/rootless/containerd-rootless-setuptool.sh
Comment thread extras/rootless/containerd-rootless.sh Outdated
# The "detached-netns" mode accelerates `nerdctl (pull|push|build)` and enables `nerdctl run --net=host`,
# however, there is a relatively minor drawback with the current version of BuildKit:
# the host loopback IP address (127.0.0.1) is exposed to Dockerfile's "RUN" instructions during `nerdctl build` (not `nerdctl run`).
# If you want to hide 127.0.0.1 from "RUN" instructions, you should set CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS to "false".
Copy link
Copy Markdown
Member

@fahedouch fahedouch Jan 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nerdctl v2.0

SGTM

Comment thread pkg/cmd/container/create.go Outdated
fahedouch
fahedouch reviewed Jan 18, 2024
View reviewed changes
Comment thread pkg/cmd/container/create.go
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 18, 2024
Closed
fahedouch
fahedouch reviewed Jan 18, 2024
View reviewed changes
Comment thread pkg/netutil/subnet/subnet.go
var addrs []net.Addr
if err := rootlessutil.WithDetachedNetNSIfAny(func() error {
var err2 error
addrs, err2 = net.InterfaceAddrs()
Copy link
Copy Markdown
Member

@fahedouch fahedouch Jan 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I think this is what I was missing in my PR; I wasn't pointing to the right IP addresses, right? It's not an issue with runc as we discussed in Chicago.

@fahedouch
Copy link
Copy Markdown
Member

fahedouch commented Jan 18, 2024

thanks @AkihiroSuda

LGTM overall, just this small typo

Thanks again for taking the time to address this feature

@AkihiroSuda AkihiroSuda mentioned this pull request Jan 18, 2024
Merged
@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented Jan 19, 2024

Will rebase when BuildKit v0.13 beta2 is released

@AkihiroSuda AkihiroSuda force-pushed the detach-netns branch 2 times, most recently from 6994e39 to d3d2da7 Compare January 31, 2024 03:25
@AkihiroSuda AkihiroSuda requested a review from ktock January 31, 2024 03:27
AkihiroSuda and others added 3 commits January 31, 2024 14:43
@AkihiroSuda
update BuildKit (0.13.0-beta2)
58cc30c 
Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
update RootlessKit (2.0.0)
328497a 
Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda @fahedouch
[Carry 2535] rootless: support detach-netns mode
4892364 
When RootlessKit v2.0 (rootless-containers/rootlesskit PR 379) is
installed, `containerd-rootless.sh` launches it with `--detach-netns`
so as to run the daemon in the host network namespace.

This will enable:
- Accelerated (and deflaked) `nerdctl pull`, `nerdctl push`, `nerdctl build`, etc
- Proper support for `nerdctl pull 127.0.0.1:.../...`
- Proper support for `nerdctl run --net=host`

Replaces Fahed Dorgaa's PR 2535

Co-authored-by: fahed dorgaa <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda AkihiroSuda merged commit 9102092 into containerd:main Jan 31, 2024
@fahedouch fahedouch mentioned this pull request Feb 24, 2024
Closed
apostasie
apostasie reviewed Jul 12, 2024
View reviewed changes
Comment thread extras/rootless/containerd-rootless.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fahedouch fahedouch fahedouch approved these changes

@ktock ktock ktock approved these changes

+1 more reviewer

@apostasie apostasie apostasie left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/rootless Rootless mode impact/changelog

Projects

None yet

Milestone

v2.0.0

Development

Successfully merging this pull request may close these issues.

rootless: run the puller/pusher in the host netns (but still in the userns) rootless: provide workaround for nerdctl pull 127.0.0.1:5000/foo

4 participants

@AkihiroSuda @fahedouch @ktock @apostasie