net=host: remove /var/run/docker/netns/default from OCI config#47101
net=host: remove /var/run/docker/netns/default from OCI config#47101thaJeztah merged 1 commit intomoby:masterfrom
Conversation
AkihiroSuda
added
area/networking
Prior to this commit, a container running with `--net=host` had
`{"type":"network","path":"/var/run/docker/netns/default"}` in
the ``.linux.namespaces` field of the OCI Runtime Config,
but this wasn't needed.
Close issue 47100
Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
refactor-47100
branch
from
9a5c783 to
ed15f1d
Compare
| case networkMode.IsHost(): | ||
| setNamespace(s, specs.LinuxNamespace{ | ||
| Type: specs.NetworkNamespace, | ||
| Path: c.NetworkSettings.SandboxKey, |
There was a problem hiding this comment.
Not for this PR, but we should probably look if that magic default SandboxKey is actually still serving any purpose, or if such containers should just not have a SandboxKey set.
(We may need to have a close look for Windows as well on that matter; perhaps there's some other rules there)
|
Looking at the code in this area; I wonder how we handle Lines 269 to 277 in 4f9c865 |
The latter one seems correct (tested with Docker 24.0.7) $ docker run --name=c0 -d --net=host alpine sleep infinity
d4545f1bb639a5f7410566c757527e39a4ee9bf07f1ea6cb12dec96ce0aaa7d6
$ docker run -it --rm --net=container:c0 alpine
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether 52:55:55:d5:a8:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.15/24 brd 192.168.5.255 scope global dynamic eth0
valid_lft 86309sec preferred_lft 86309sec
inet6 fec0::5055:55ff:fed5:a8b8/64 scope site dynamic noprefixroute flags 100
valid_lft 86310sec preferred_lft 14310sec
inet6 fe80::5055:55ff:fed5:a8b8/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:05:94:03:47 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft foreverThis still continue to work with the current revision of the PR (ed15f1d) |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM.
It makes a lot of sense to me to not create a namespace for a container that doesn't have one, but would love to have some eyes from @akerouanton and @robmry to check if there's some thing I didn't consider.
akerouanton
left a comment
akerouanton
left a comment
There was a problem hiding this comment.
I can't think of a use case where this "default" netns is needed. LGTM.
|
@akerouanton this one good / safe to take for v25.0? |
|
Yeah, I believe it's safe to release in v25. |
|
Thanks! Just double-checking in case I overlooked things 🤗 Let's bring this one in 👍 |
thaJeztah
added
process/cherry-pick
process/cherry-pick/23.0
process/cherry-pick/24.0
and removed
process/cherry-pick
labels
3 participants
- What I did
--net=host: remove/var/run/docker/netns/defaultfrom OCI Runtime Config #47100Prior to this commit, a container running with
--net=hosthad{"type":"network","path":"/var/run/docker/netns/default"}in the ``.linux.namespaces` field of the OCI Runtime Config, but this wasn't needed.- How I did it
oci.RemoveNamespace(s, specs.NetworkNamespace)whennetworkMode.isHost()- How to verify it
docker run --net=hoststill works,ip ain a container shows the host network interfaces, and theconfig.jsonhas no reference to/var/run/docker/netns/default- Description for the changelog
net=host: remove
/var/run/docker/netns/defaultfrom OCI config- A picture of a cute animal (not mandatory but encouraged)
🐧