protochron
commented
1 year ago Not quite sure why the root tests would fail on different architectures 🤔
Open protochron opened 1 year ago
protochron
commented
1 year ago Not quite sure why the root tests would fail on different architectures 🤔
Right now there is a bug when trying to start a Firecracker VM with jailer using a CNI where the VM is never joined to the correct network namespace. This is because in its current form, the CNI execution occurs when
fcinit.SetupNetworkruns, which occurs after the jailer has already created a chroot and dropped privleges.This fixes the problem by executing the
fcinit.SetupNetworkcall before running jailer and removing that hook from theFcInitfunctions later on. It also passes through the UID and GID options to thetc-redirect-tapplugin and includes theIgnoreUnknowndirective so that chained CNI plugins work.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.