Prefer bubblewrap for network isolation

python-wheel-build / fromager

Build your own wheels

https://fromager.readthedocs.io/en/latest/

Apache License 2.0

7 stars 11 forks source link

Prefer bubblewrap for network isolation #473

Closed tiran closed 1 month ago

tiran commented 1 month ago

Bubblewrap is another tool for unsharing namespaces. It sets up a network namespace with a disconnected loopback.

Fixes: #472

prarit commented 1 month ago

Let's try this and see if it works better. OOC do you test if it solved the MPI issue in a container?

tiran commented 1 month ago

Let's try this and see if it works better. OOC do you test if it solved the MPI issue in a container?

$ bwrap --unshare-net --dev-bind / / -- /usr/lib64/openmpi/bin/mpicc -showme:compile
-I/usr/include/openmpi-x86_64

$ unshare -rn -- /usr/lib64/openmpi/bin/mpicc -showme:compile
[hostname:1498104] opal_ifinit: unable to find network interfaces.
-I/usr/include/openmpi-x86_64

tiran commented 1 month ago

bwrap does not work for us. It requires additional permissions and adjustments to work in an unprivileged container. We want a system that works in podman out of the box and in docker with minimal adjustments.