AkihiroSuda
commented
7 months ago Thank you, but this still does not seem to fix:
I also wonder if this PR disables the entire acceleration for connect(2)?
Open naoki9911 opened 7 months ago
AkihiroSuda
commented
7 months ago Thank you, but this still does not seem to fix:
I also wonder if this PR disables the entire acceleration for connect(2)?
AkihiroSuda
commented
7 months ago For #65, this seems to work as a workaround
naoki9911
commented
6 months ago this still does not seem to fix
Thanks, the issue seems to stem from other reasons. I'm going to investigate this issue with Usernetes environment.
this PR disables the entire acceleration for connect(2)?
Yes, this disables entire acceleration including connect(2) and bind(2) with processes in nested NetNS.
Enabling acceleration in nested NetNS can cause unexpected communication, and it actually allows processes to communicate with external endpoints without creating veth or configuring IP masquerade in nested NetNS.
We need to consider whether this behavior is acceptable or not.
AkihiroSuda
commented
6 months ago At least connect() to the Internet should still be accelerated even with nested netns.
--ignore-bind (https://github.com/rootless-containers/bypass4netns/pull/68) with ignore-list seems to work.
Let me know if we can safely merge #68.
bypass4netns handles all sockets in the container NetNS. However, in the nested NetNS environment, it wrongly bypasses sockets in the nested NetNS. It causes the following issues. https://github.com/rootless-containers/bypass4netns/issues/65 https://github.com/rootless-containers/bypass4netns/issues/66
This patch makes bypass4netns ignore any sockets created in non-container NetNS including nested ones.