Re-remove the SetKey OCI prestart hook

robmry · robmry · commit 933fcc981418 · 2024-11-05T10:00:09.000Z
Second attempt to stop using the OCI prestart hook to call SetKey
to set up the OS Sandbox's key and perform network config in the
new network namespace.

The first attempt was reverted because it made it impossible to
use --sysctl to set per-interface sysctls on an interface that had
not yet been moved into the new network namespace.

Now, per-interface sysctls can be used to do that (with less
ambiguity because the setting is not tied to the interface using
an unpredictably assigned name).

Signed-off-by: Rob Murray &lt;rob.murray@docker.com&gt;
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
@@ -17,13 +17,11 @@ import (
 	"github.com/docker/docker/container"
 	dconfig "github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/internal/otelutil"
 	"github.com/docker/docker/internal/rootless/mountopts"
 	"github.com/docker/docker/internal/rootless/specconv"
 	"github.com/docker/docker/oci"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/docker/pkg/idtools"
-	"github.com/docker/docker/pkg/stringid"
 	volumemounts "github.com/docker/docker/volume/mounts"
 	"github.com/moby/sys/mount"
 	"github.com/moby/sys/mountinfo"
@@ -32,7 +30,6 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
-	"go.opentelemetry.io/otel"
 )
 
 const inContainerInitPath = "/sbin/" + dconfig.DefaultInitBinary
@@ -62,33 +59,6 @@ func withRlimits(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Contain
 	}
 }
 
-// withLibnetwork sets the libnetwork hook
-func withLibnetwork(daemon *Daemon, daemonCfg *dconfig.Config, c *container.Container) coci.SpecOpts {
-	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
-		if c.Config.NetworkDisabled {
-			return nil
-		}
-		for _, ns := range s.Linux.Namespaces {
-			if ns.Type == specs.NetworkNamespace && ns.Path == "" {
-				if s.Hooks == nil {
-					s.Hooks = &specs.Hooks{}
-				}
-				shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
-
-				var carrier otelutil.EnvironCarrier
-				otel.GetTextMapPropagator().Inject(ctx, &carrier)
-
-				s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one.
-					Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
-					Env:  carrier.Environ(),
-					Args: []string{"libnetwork-setkey", "-exec-root=" + daemonCfg.GetExecRoot(), c.ID, shortNetCtlrID},
-				})
-			}
-		}
-		return nil
-	}
-}
-
 // withRootless sets the spec to the rootless configuration
 func withRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts {
 	return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
@@ -1038,7 +1008,6 @@ func (daemon *Daemon) createSpec(ctx context.Context, daemonCfg *configStore, c
 		WithCapabilities(c),
 		WithSeccomp(daemon, c),
 		withMounts(daemon, daemonCfg, c, mounts),
-		withLibnetwork(daemon, &daemonCfg.Config, c),
 		WithApparmor(c),
 		WithSelinux(c),
 		WithOOMScore(&c.HostConfig.OomScoreAdj),
diff --git a/daemon/start_linux.go b/daemon/start_linux.go
@@ -2,6 +2,7 @@ package daemon // import "github.com/docker/docker/daemon"
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
@@ -24,7 +25,9 @@ func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task,
 			if err != nil {
 				return errdefs.System(err)
 			}
-			return sb.FinishConfig(ctx)
+			if err := sb.SetKey(ctx, fmt.Sprintf("/proc/%d/ns/net", tsk.Pid())); err != nil {
+				return errdefs.System(err)
+			}
 		}
 	}
 	return nil
diff --git a/libnetwork/sandbox_linux.go b/libnetwork/sandbox_linux.go
@@ -96,8 +96,12 @@ func (sb *Sandbox) updateGateway(ep *Endpoint) error {
 		return fmt.Errorf("failed to set gateway while updating gateway: %v", err)
 	}
 
-	if err := osSbox.SetGatewayIPv6(joinInfo.gw6); err != nil {
-		return fmt.Errorf("failed to set IPv6 gateway while updating gateway: %v", err)
+	// If IPv6 has been disabled in the sandbox a gateway may still have been
+	// configured, don't attempt to apply it.
+	if ipv6, _ := sb.ipv6Enabled(); ipv6 {
+		if err := osSbox.SetGatewayIPv6(joinInfo.gw6); err != nil {
+			return fmt.Errorf("failed to set IPv6 gateway while updating gateway: %v", err)
+		}
 	}
 
 	return nil
@@ -164,10 +168,8 @@ func (sb *Sandbox) SetKey(ctx context.Context, basePath string) error {
 		}
 	}
 
-	// Set up hosts and resolv.conf files. IPv6 support in the container can't be
-	// determined yet, as sysctls haven't been applied by the runtime. Calling
-	// FinishInit after the container task has been created, when sysctls have been
-	// applied will regenerate these files.
+	// Set up hosts and resolv.conf files.
+	osSbox.RefreshIPv6LoEnabled()
 	if err := sb.finishInitDNS(ctx); err != nil {
 		return err
 	}
@@ -181,27 +183,6 @@ func (sb *Sandbox) SetKey(ctx context.Context, basePath string) error {
 	return nil
 }
 
-// FinishConfig completes Sandbox configuration. If called after the container task has been
-// created, and sysctl settings applied, the configuration will be based on the container's
-// IPv6 support.
-func (sb *Sandbox) FinishConfig(ctx context.Context) error {
-	if sb.config.useDefaultSandBox {
-		return nil
-	}
-
-	sb.mu.Lock()
-	osSbox := sb.osSbox
-	sb.mu.Unlock()
-	if osSbox == nil {
-		return nil
-	}
-
-	// If sysctl changes have been made, IPv6 may have been enabled/disabled since last checked.
-	osSbox.RefreshIPv6LoEnabled()
-
-	return sb.finishInitDNS(ctx)
-}
-
 // IPv6 support can always be determined for host networking. For other network
 // types it can only be determined once there's a container namespace to probe,
 // return ok=false in that case.
@@ -314,7 +295,12 @@ func (sb *Sandbox) populateNetworkResources(ctx context.Context, ep *Endpoint) e
 
 		ifaceOptions = append(ifaceOptions, osl.WithIPv4Address(i.addr), osl.WithRoutes(i.routes))
 		if i.addrv6 != nil && i.addrv6.IP.To16() != nil {
-			ifaceOptions = append(ifaceOptions, osl.WithIPv6Address(i.addrv6))
+			// If IPv6 has been disabled in the Sandbox, an IPv6 address will still have
+			// been allocated. Don't apply it, because doing so would enable IPv6 on the
+			// interface.
+			if ipv6, ok := sb.ipv6Enabled(); !ok || ipv6 {
+				ifaceOptions = append(ifaceOptions, osl.WithIPv6Address(i.addrv6))
+			}
 		}
 		if len(i.llAddrs) != 0 {
 			ifaceOptions = append(ifaceOptions, osl.WithLinkLocalAddresses(i.llAddrs))

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package daemon // import "github.com/docker/docker/daemon"`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
	`5`	`+ "fmt"`
`5`	`6`
`6`	`7`	`"github.com/docker/docker/container"`
`7`	`8`	`"github.com/docker/docker/errdefs"`
`@@ -24,7 +25,9 @@ func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task,`
`24`	`25`	`if err != nil {`
`25`	`26`	`return errdefs.System(err)`
`26`	`27`	`}`
`27`		`- return sb.FinishConfig(ctx)`
	`28`	`+ if err := sb.SetKey(ctx, fmt.Sprintf("/proc/%d/ns/net", tsk.Pid())); err != nil {`
	`29`	`+ return errdefs.System(err)`
	`30`	`+ }`
`28`	`31`	`}`
`29`	`32`	`}`
`30`	`33`	`return nil`