Enter network namespace by PID instead of "sandbox key"

3 years ago · e109e9923e
parent 00e08f1c14
commit e109e9923e
3 changed files with 30 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -17,8 +17,8 @@ The plugin can be installed with the `docker plugin install` command:
 $ docker plugin install ghcr.io/devplayer0/docker-net-dhcp:release-linux-amd64
 Plugin "ghcr.io/devplayer0/docker-net-dhcp:release-linux-amd64" is requesting the following privileges:
 - network: [host]
+ - host pid namespace: [true]
 - mount: [/var/run/docker.sock]
- - mount: [/var/run/docker]
 - capabilities: [CAP_NET_ADMIN CAP_SYS_ADMIN]
 Do you grant the above permissions? [y/N] y
 release-linux-amd64: Pulling from ghcr.io/devplayer0/docker-net-dhcp
--- a/config.json
+++ b/config.json
@ -21,6 +21,7 @@
    "network": {
        "type": "host"
    },
+    "pidhost": true,
    "mounts": [
        {
            "source": "/var/run/docker.sock",
@ -29,14 +30,6 @@
            "options": [
                "bind"
            ]
-        },
-        {
-            "source": "/var/run/docker",
-            "destination": "/run/docker",
-            "type": "bind",
-            "options": [
-                "bind"
-            ]
        }
    ],
    "linux": {
--- a/pkg/plugin/dhcp_manager.go
+++ b/pkg/plugin/dhcp_manager.go
@ -27,6 +27,7 @@ type dhcpManager struct {
 	LastIP   *netlink.Addr
 	LastIPv6 *netlink.Addr

+	nsPath    string
 	hostname  string
 	nsHandle  netns.NsHandle
 	netHandle *netlink.Handle
@ -125,7 +126,7 @@ func (m *dhcpManager) setupClient(v6 bool) (chan error, error) {
 	client, err := udhcpc.NewDHCPClient(m.ctrLink.Attrs().Name, &udhcpc.DHCPClientOptions{
 		Hostname:  m.hostname,
 		V6:        v6,
-		Namespace: m.joinReq.SandboxKey,
+		Namespace: m.nsPath,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create DHCP%v client: %w", v6Str, err)
@ -198,8 +199,32 @@ func (m *dhcpManager) setupClient(v6 bool) (chan error, error) {
 }

 func (m *dhcpManager) Start(ctx context.Context) error {
-	var err error
-	m.nsHandle, err = util.AwaitNetNS(ctx, m.joinReq.SandboxKey, pollTime)
+	dockerNet, err := m.docker.NetworkInspect(ctx, m.joinReq.NetworkID, dTypes.NetworkInspectOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get Docker network info: %w", err)
+	}
+
+	var ctrID string
+	for id, info := range dockerNet.Containers {
+		if info.EndpointID == m.joinReq.EndpointID {
+			ctrID = id
+			break
+		}
+	}
+	if ctrID == "" {
+		return util.ErrNoContainer
+	}
+
+	ctr, err := m.docker.ContainerInspect(ctx, ctrID)
+	if err != nil {
+		return fmt.Errorf("failed to get Docker container info: %w", err)
+	}
+
+	// Using the "sandbox key" directly causes issues on some platforms
+	m.nsPath = fmt.Sprintf("/proc/%v/ns/net", ctr.State.Pid)
+	m.hostname = ctr.Config.Hostname
+
+	m.nsHandle, err = util.AwaitNetNS(ctx, m.nsPath, pollTime)
 	if err != nil {
 		return fmt.Errorf("failed to get sandbox network namespace: %w", err)
 	}
@ -237,28 +262,6 @@ func (m *dhcpManager) Start(ctx context.Context) error {
 			return err
 		}

-		dockerNet, err := m.docker.NetworkInspect(ctx, m.joinReq.NetworkID, dTypes.NetworkInspectOptions{})
-		if err != nil {
-			return fmt.Errorf("failed to get Docker network info: %w", err)
-		}
-
-		var ctrID string
-		for id, info := range dockerNet.Containers {
-			if info.EndpointID == m.joinReq.EndpointID {
-				ctrID = id
-				break
-			}
-		}
-		if ctrID == "" {
-			return util.ErrNoContainer
-		}
-
-		ctr, err := m.docker.ContainerInspect(ctx, ctrID)
-		if err != nil {
-			return fmt.Errorf("failed to get Docker container info: %w", err)
-		}
-		m.hostname = ctr.Config.Hostname
-
 		if m.errChan, err = m.setupClient(false); err != nil {
 			close(m.stopChan)
 			return err