Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bind(2)-related syscalls do not work well with nested containers #66

Open
AkihiroSuda opened this issue Apr 4, 2024 · 2 comments
Open

bind(2)-related syscalls do not work well with nested containers #66

AkihiroSuda opened this issue Apr 4, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@AkihiroSuda
Copy link
Member

In the following example, nerdctl exec dind docker exec nginx wget -O- http://127.0.0.1 is working as expected, but nerdctl exec dind docker exec nginx wget -O- http://172.17.0.2 is failing with Host is unreachable

$ nerdctl run -d --name dind --annotation nerdctl/bypass4netns=1 --privileged docker:dind

$ nerdctl exec dind docker run -d --name nginx nginx:alpine

$ nerdctl exec dind docker exec nginx wget -O- http://127.0.0.1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[...]
</html>
Connecting to 127.0.0.1 (127.0.0.1:80)
writing to stdout
-                    100% |********************************|   615  0:00:00 ETA
written to stdout

$ nerdctl exec dind docker exec nginx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

$ nerdctl exec dind docker exec nginx wget -O- http://172.17.0.2
Connecting to 172.17.0.2 (172.17.0.2:80)
wget: can't connect to remote host (172.17.0.2): Host is unreachable
FATA[0003] exec failed with exit code 1
  • nerdctl: v2.0.0-beta.3
  • bypass4netns: the current master 2794f7e

Probably the cause is same as:

cc @naoki9911
@AkihiroSuda AkihiroSuda added the bug Something isn't working label Apr 4, 2024
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Apr 4, 2024
edited
Loading

--annotation nerdctl/bypass4netns-ignore-subnets='["172.17.0.2/24"] works as a workaround, so this issue seems different from:

The automatic ignore list detection should still needs a fix to support nested netns though.

@AkihiroSuda AkihiroSuda added enhancement New feature or request and removed bug Something isn't working labels Apr 4, 2024
@naoki9911
Copy link
Collaborator

It seems that bypass4netns could not precisely handle nested netns.
I'll investigate this with #65

@naoki9911 naoki9911 mentioned this issue Apr 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AkihiroSuda @naoki9911