Skip to content

use /proc/thread-self for mounting network namespace#45682

Closed
spikecurtis wants to merge 1 commit intomoby:masterfrom
spikecurtis:45681-thread-mount-namespace
Closed

use /proc/thread-self for mounting network namespace#45682
spikecurtis wants to merge 1 commit intomoby:masterfrom
spikecurtis:45681-thread-mount-namespace

Conversation

@spikecurtis
Copy link
Copy Markdown

@spikecurtis spikecurtis commented Jun 2, 2023
edited by thaJeztah
Loading

- What I did

Fixes an issue where --net=host runs would fail if Docker is run within a sysbox container.

- How I did it

--net=host mounts the network namespace without using unshare, but the code uses a call to unix.Gettid() for the thread ID, builds the /proc path from it, then issues the syscall. Without unshare code on the same goroutine can be run on different OS threads, and it appears the syscall is run on a different thread and fails.

We can simplify and fix the logic by using /proc/thread-self instead of querying for the threadID.

- How to verify it

c.f. repro steps in #45681

- Description for the changelog

fixed an issue where --net=host would fail in restricted environments, for example sysbox

- A picture of a cute animal (not mandatory but encouraged)

IMG_1673

@thaJeztah thaJeztah requested a review from corhere June 2, 2023 09:45
@thaJeztah thaJeztah added this to the 25.0.0 milestone Jun 2, 2023
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jun 2, 2023

@corhere PTAL

/cc @ctalledo

corhere
corhere requested changes Jun 2, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@corhere corhere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/proc/thread-self does not exist on the oldest kernels we support so cannot be used

@corhere
Copy link
Copy Markdown
Contributor

corhere commented Jun 2, 2023

If mounting one thread's netns from another thread is the problem, use runtime.LockOSThread() to guarantee that the goroutine is running on the same thread for both the gettid and the mount call.

@spikecurtis
Copy link
Copy Markdown
Author

spikecurtis commented Jun 5, 2023

Tried with runtime.LockOSThread() and this unfortunately doesn't resolve the issue with sysbox. It's a mystery to my why /proc/thread-self works, but not /proc/self/task/<tid> with the correct thread ID.

I think that means my theory for what's wrong is false, so closing this PR.

@spikecurtis spikecurtis closed this Jun 5, 2023
@thaJeztah thaJeztah removed this from the 25.0.0 milestone Jun 26, 2023
@thaJeztah thaJeztah mentioned this pull request Oct 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corhere corhere corhere requested changes

Assignees

No one assigned

Labels

area/networking Networking kind/bugfix PR's that fix bugs status/2-code-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

--net=host fails for Docker-in-Docker with sysbox

3 participants

@spikecurtis @thaJeztah @corhere