Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate whether process belongs to the container's NetNS #70

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

naoki9911
Copy link
Collaborator

bypass4netns handles all sockets in the container NetNS.
However, in the nested NetNS environment, it wrongly bypasses sockets in the nested NetNS.
It causes the following issues.
#65
#66

This patch makes bypass4netns ignore any sockets created in non-container NetNS including nested ones.

ignores any sockets created in non-container NetNS including nested one.

Signed-off-by: Naoki MATSUMOTO <[email protected]>
@AkihiroSuda
Copy link
Member

Thank you, but this still does not seem to fix:

I also wonder if this PR disables the entire acceleration for connect(2)?

@AkihiroSuda
Copy link
Member

For #65, this seems to work as a workaround

@naoki9911
Copy link
Collaborator Author

naoki9911 commented Apr 8, 2024

this still does not seem to fix

Thanks, the issue seems to stem from other reasons.
I'm going to investigate this issue with Usernetes environment.

this PR disables the entire acceleration for connect(2)?

Yes, this disables entire acceleration including connect(2) and bind(2) with processes in nested NetNS.
Enabling acceleration in nested NetNS can cause unexpected communication, and it actually allows processes to communicate with external endpoints without creating veth or configuring IP masquerade in nested NetNS.
We need to consider whether this behavior is acceptable or not.

@AkihiroSuda
Copy link
Member

At least connect() to the Internet should still be accelerated even with nested netns.
--ignore-bind (#68) with ignore-list seems to work.
Let me know if we can safely merge #68.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants