Right now there is a bug when trying to start a Firecracker VM with jailer using a CNI where the VM is never joined to the correct network namespace. This is because in its current form, the CNI execution occurs when fcinit.SetupNetwork runs, which occurs after the jailer has already created a chroot and dropped privleges.
This fixes the problem by executing the fcinit.SetupNetwork call before running jailer and removing that hook from the FcInit functions later on. It also passes through the UID and GID options to the tc-redirect-tap plugin and includes the IgnoreUnknown directive so that chained CNI plugins work.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Right now there is a bug when trying to start a Firecracker VM with jailer using a CNI where the VM is never joined to the correct network namespace. This is because in its current form, the CNI execution occurs when
fcinit.SetupNetwork
runs, which occurs after the jailer has already created a chroot and dropped privleges.This fixes the problem by executing the
fcinit.SetupNetwork
call before running jailer and removing that hook from theFcInit
functions later on. It also passes through the UID and GID options to thetc-redirect-tap
plugin and includes theIgnoreUnknown
directive so that chained CNI plugins work.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.