Network namespace not available at hypervisor.createSandbox time

[mcastelino]

Description of problem

When the hypervisor createSandbox is called the network namespace is not properly populated.
virtcontainers/sandbox.go->createSandbox()->newSandbox()->s.hypervisor.createSandbox(ctx, s.id, s.networkNS, &sandboxConfig.HypervisorConfig, s.store)

At this point the network namespace is not populated. This leads to issues when running firecracker with jailer as the jailer needs a valid network namespace to move the firecracker process into the appropriate network namespace.

// createSandbox creates a sandbox from a sandbox description, the containers list, the hypervisor
// and the agent passed through the Config structure.
// It will create and store the sandbox structure, and then ask the hypervisor
// to physically create that sandbox i.e. starts a VM for that sandbox to eventually
// be started.
func createSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factory) (*Sandbox, error) {
        span, ctx := trace(ctx, "createSandbox")
        defer span.Finish()

        if err := createAssets(ctx, &sandboxConfig); err != nil {
                return nil, err
        }

        s, err := newSandbox(ctx, sandboxConfig, factory)
        if err != nil {
                return nil, err
        }

        if len(s.config.Experimental) != 0 {
                s.Logger().WithField("features", s.config.Experimental).Infof("Enable experimental features")
        }

        // Fetch sandbox network to be able to access it from the sandbox structure.
        var networkNS NetworkNamespace
        if err := s.store.Load(store.Network, &networkNS); err == nil {
                s.networkNS = networkNS
        }

[mcastelino]

This is due to the order in which we create network.

At createSandbox time the network is not yet available in the case of docker. So any hypervisor implementation needs to load it at startSandbox time.

func createSandboxFromConfig(ctx context.Context, sandboxConfig SandboxConfig, factory Factory) (*Sandbox, error) {
        span, ctx := trace(ctx, "createSandboxFromConfig")
        defer span.Finish()

        var err error

        // Create the sandbox.
        s, err := createSandbox(ctx, sandboxConfig, factory)
        if err != nil {
                return nil, err
        }

        // cleanup sandbox resources in case of any failure
        defer func() {
                if err != nil {
                        s.Delete()
                }
        }()

        // Create the sandbox network
        if err = s.createNetwork(); err != nil {
                return nil, err
        }

        // network rollback
        defer func() {
                if err != nil && s.networkNS.NetNsCreated {
                        s.removeNetwork()
                }
        }()

        // Start the VM
        if err = s.startVM(); err != nil {
                return nil, err
        }

        // rollback to stop VM if error occurs
        defer func() {
                if err != nil {
                        s.stopVM()
                }
        }()

[mcastelino]

Closing this bug as we can workaround this issue for now.