-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --preserve-fds N to nerdctl run #3534
Comments
Thanks, SGTM The CLI syntax should follow Podman |
This would be cool. To implement this you would need use Quote from
https://man7.org/linux/man-pages/man7/unix.7.html So the architecture would look something like this in the case of systemd socket activation? nerdctl (possible architecture)stateDiagram-v2
[*] --> systemd: first client connects
state "shell script wrapper" as s5
systemd --> s5: socket inherited via fork/exec
s5 --> nerdctl: socket inherited via fork/exec
state "OCI runtime" as s2
nerdctl --> containerd: socket sent with SCM_RIGHTS
containerd --> s2: socket inherited via fork/exec
s2 --> container: socket inherited via exec
podman (current architecture)stateDiagram-v2
[*] --> systemd: first client connects
systemd --> podman: socket inherited via fork/exec
state "OCI runtime" as s2
podman --> conmon: socket inherited via double fork/exec
conmon --> s2: socket inherited via fork/exec
s2 --> container: socket inherited via exec
Diagram from |
I don't believe so, SCM_RIGHTS is for transferring FDs from one PID to another via a UDS. I do not think that is what runc does, it would look more like if you want to pass fds between processes with a SCM_RIGHTS socket, you can use a do-one-thing tool like s6-fdholderd , but for systemd socket units in your architecture diagram, you would just need |
I don't quite follow how it would work without passing the socket file descriptor from |
oh, you're 100% right, I should have taken a closer look at that mermaid. SCM_RIGHTS is definitely the way to pass fds from nerdctl to containerd. |
What is the problem you're trying to solve
container runtimes support passing additional file descriptors from the parent process into containers, which has at least two nice use cases:
--net=none
. effectively this allows the container to do host network I/O, without exposing the host network to the container.which enhances security and allows for seamless upgrades.
Describe the solution you'd like
nerdctl run
takes a--preserve-fds N
argument, that specifies how many "extra" fds to pass to containers after stdin/stdout/stderr. podman also supports systemd's socket activation$LISTEN_FDS
environment variable, which I do not recommend adding separate support for to nerdctl. a simple shell script can read these variables and supply the appropriate--preserve-fds
argument to nerdctl if desired.Additional context
support is already in runc, and
podman run
has this argument: containers/podman#6625I am happy to contribute this feature if there is interest :)
The text was updated successfully, but these errors were encountered: