Enter network namespace by PID instead of "sandbox key"

This commit is contained in:
Jack O'Sullivan 2021-06-10 23:03:46 +01:00
parent 00e08f1c14
commit e109e9923e
3 changed files with 30 additions and 34 deletions

View File

@ -17,8 +17,8 @@ The plugin can be installed with the `docker plugin install` command:
$ docker plugin install ghcr.io/devplayer0/docker-net-dhcp:release-linux-amd64
Plugin "ghcr.io/devplayer0/docker-net-dhcp:release-linux-amd64" is requesting the following privileges:
- network: [host]
- host pid namespace: [true]
- mount: [/var/run/docker.sock]
- mount: [/var/run/docker]
- capabilities: [CAP_NET_ADMIN CAP_SYS_ADMIN]
Do you grant the above permissions? [y/N] y
release-linux-amd64: Pulling from ghcr.io/devplayer0/docker-net-dhcp

View File

@ -21,6 +21,7 @@
"network": {
"type": "host"
},
"pidhost": true,
"mounts": [
{
"source": "/var/run/docker.sock",
@ -29,14 +30,6 @@
"options": [
"bind"
]
},
{
"source": "/var/run/docker",
"destination": "/run/docker",
"type": "bind",
"options": [
"bind"
]
}
],
"linux": {

View File

@ -27,6 +27,7 @@ type dhcpManager struct {
LastIP *netlink.Addr
LastIPv6 *netlink.Addr
nsPath string
hostname string
nsHandle netns.NsHandle
netHandle *netlink.Handle
@ -125,7 +126,7 @@ func (m *dhcpManager) setupClient(v6 bool) (chan error, error) {
client, err := udhcpc.NewDHCPClient(m.ctrLink.Attrs().Name, &udhcpc.DHCPClientOptions{
Hostname: m.hostname,
V6: v6,
Namespace: m.joinReq.SandboxKey,
Namespace: m.nsPath,
})
if err != nil {
return nil, fmt.Errorf("failed to create DHCP%v client: %w", v6Str, err)
@ -198,8 +199,32 @@ func (m *dhcpManager) setupClient(v6 bool) (chan error, error) {
}
func (m *dhcpManager) Start(ctx context.Context) error {
var err error
m.nsHandle, err = util.AwaitNetNS(ctx, m.joinReq.SandboxKey, pollTime)
dockerNet, err := m.docker.NetworkInspect(ctx, m.joinReq.NetworkID, dTypes.NetworkInspectOptions{})
if err != nil {
return fmt.Errorf("failed to get Docker network info: %w", err)
}
var ctrID string
for id, info := range dockerNet.Containers {
if info.EndpointID == m.joinReq.EndpointID {
ctrID = id
break
}
}
if ctrID == "" {
return util.ErrNoContainer
}
ctr, err := m.docker.ContainerInspect(ctx, ctrID)
if err != nil {
return fmt.Errorf("failed to get Docker container info: %w", err)
}
// Using the "sandbox key" directly causes issues on some platforms
m.nsPath = fmt.Sprintf("/proc/%v/ns/net", ctr.State.Pid)
m.hostname = ctr.Config.Hostname
m.nsHandle, err = util.AwaitNetNS(ctx, m.nsPath, pollTime)
if err != nil {
return fmt.Errorf("failed to get sandbox network namespace: %w", err)
}
@ -237,28 +262,6 @@ func (m *dhcpManager) Start(ctx context.Context) error {
return err
}
dockerNet, err := m.docker.NetworkInspect(ctx, m.joinReq.NetworkID, dTypes.NetworkInspectOptions{})
if err != nil {
return fmt.Errorf("failed to get Docker network info: %w", err)
}
var ctrID string
for id, info := range dockerNet.Containers {
if info.EndpointID == m.joinReq.EndpointID {
ctrID = id
break
}
}
if ctrID == "" {
return util.ErrNoContainer
}
ctr, err := m.docker.ContainerInspect(ctx, ctrID)
if err != nil {
return fmt.Errorf("failed to get Docker container info: %w", err)
}
m.hostname = ctr.Config.Hostname
if m.errChan, err = m.setupClient(false); err != nil {
close(m.stopChan)
return err