New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restore the SetKey prestart hook. #47621
Conversation
6fedbcf
to
78b903b
Compare
78b903b
to
1cd08ae
Compare
// Test that it's possible to set a sysctl on an interface in the container. | ||
// Regression test for https://github.com/moby/moby/issues/47619 | ||
func TestSetInterfaceSysctl(t *testing.T) { | ||
skip.If(t, testEnv.DaemonInfo.OSType == "windows", "no sysctl on Windows") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a follow-up; all tests in this file (bridge_test.go
) are Linux-only; if this file is specific for the bridge
driver (which is not supported on Windows), perhaps we should consider renaming the file to bridge_linux_test.go
, or adding a //go:build linux
build-tag to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's got TestBridgeICCWindows
- which uses "nat" instead of "bridge", I think I put it there because it covers some of the same ground as TestBridgeICC
... but yes, we could split the file in to windows/not-windows.
daemon/start_linux.go
Outdated
// prepare a freshly-created task to be started. | ||
func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task, container *container.Container, spec *specs.Spec) error { | ||
// prepare a freshly-created container to be started. | ||
func (daemon *Daemon) initializeCreatedContainer(container *container.Container, spec *specs.Spec) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we should keep the context.Context
(assuming we may need it again at some point), although I guess we could add it back when that moment arrives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to put it back ... but yes, my thinking was that as it's a non-exported function it can always be added back when needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to keep the function name and signature unchanged as it makes for less code to review in both this PR and in the future PR which carries the next version of the network config code. (It's just noise to have to touch start_notlinux.go)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@corhere you mean keeping the signature as it was before this PR? (so adjust the patch to not change the signature?)
I don't think #47619 alone fully outweighs the benefits of 0046b16. We should probably find a way to filter out interface-specific sysctls from the OCI spec and apply them after all the endpoints are created / joined. But I think that'd be an important change for a patch release, so it's probably better to do that for the next major release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blocking until I have confirmed to my satisfaction that there is no alternative whatsoever to reverting to the use of OCI hooks.
runC executes prestart hooks before it applies sysctls, and both are performed as part of the |
I'm convinced; we have to revert to using OCI hooks
daemon/start_linux.go
Outdated
// prepare a freshly-created task to be started. | ||
func (daemon *Daemon) initializeCreatedTask(ctx context.Context, tsk types.Task, container *container.Container, spec *specs.Spec) error { | ||
// prepare a freshly-created container to be started. | ||
func (daemon *Daemon) initializeCreatedContainer(container *container.Container, spec *specs.Spec) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to keep the function name and signature unchanged as it makes for less code to review in both this PR and in the future PR which carries the next version of the network config code. (It's just noise to have to touch start_notlinux.go)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
So - add back code that isn't needed, but might be in future if a change that isn't planned ends up looking like we think it might, to make the already-reviewed code easier to review, but needing another review. Sure, why not! |
1cd08ae
to
c51730a
Compare
Partially reverts 0046b16 "daemon: set libnetwork sandbox key w/o OCI hook" Running SetKey to store the OCI Sandbox key after task creation, rather than from the OCI prestart hook, meant it happened after sysctl settings were applied by the runtime - which was the intention, we wanted to complete Sandbox configuration after IPv6 had been disabled by a sysctl if that was going to happen. But, it meant '--sysctl' options for a specfic network interface caused container task creation to fail, because the interface is only moved into the network namespace during SetKey. This change restores the SetKey prestart hook, and regenerates config files that depend on the container's support for IPv6 after the task has been created. It also adds a regression test that makes sure it's possible to set an interface-specfic sysctl. Signed-off-by: Rob Murray <rob.murray@docker.com>
c51730a
to
fde80fe
Compare
- What I did
Running SetKey to store the OCI Sandbox key after task creation, rather than from the OCI prestart hook, meant it happened after sysctl settings were applied by the runtime - which was the intention, we wanted to complete Sandbox configuration after IPv6 had been disabled by a sysctl if that was going to happen.
But, it meant '--sysctl' options for a specfic network interface caused container task creation to fail, because the interface is only moved into the network namespace during SetKey.
- How I did it
Restored the SetKey prestart hook.
Regenerate config files that depend on the container's support for IPv6 after the task has been created.
The changes in the second partially-reverted commit, to check IPv6 support before assigning an interface address/gateway would no longer work, but are no longer necessary. IPv6 addresses applied during the SetKey prestart hook will be removed when the sysctl disabling IPv6 in the container is applied.
- How to verify it
Added a regression test, to make sure it's possible to set an interface-specfic sysctl.
The tests for IPv6 addresses in '/etc/hosts' when IPv6 is disabled still work.
- Description for the changelog