cli: add configuration option to use or not use host netns

[caoruidong]

If disable_new_netns set to true, create VM and shim processes in the host netns

Fixes #731

Signed-off-by: Ruidong Cao caoruidong@huawei.com

[jodh-intel]

Hi @caoruidong

• This will be useful for tracing the agent (Adding OpenTracing support for Kata kata-containers#27), so thanks for raising! 😄
• Your branch has conflicts so please rebase.
• Please could you add a unit test for this new option.
• The issues in your "Fixes" comment mentions disabling the ns for the shim too, but the code only applies to the hypervisor.

[jodh-intel]

Oh - also, this new option should be displayed in the output of kata-env ideally (remember to increase the value of formatVersion in kata-env.go).

[codecov]

Codecov Report

Merging #733 into master will increase coverage by 0.15%.
The diff coverage is 37.16%.

@@            Coverage Diff             @@
##           master     #733      +/-   ##
==========================================
+ Coverage    66.1%   66.26%   +0.15%     
==========================================
  Files          87       87              
  Lines       10525    10584      +59     
==========================================
+ Hits         6958     7013      +55     
+ Misses       2868     2866       -2     
- Partials      699      705       +6

[caoruidong]

Actually config.NetNSPath will influence both shim and VM processes. I have changed commit msg.

But this doesn't work for CNM model. Because we scan endpoints by default and try to attach them, this will break host networking. And libnetwork hook will get a error failed to set gateway while updating gateway: network is unreachable.
So just works with docker run -it --net=none

[bergwolf]

@caoruidong Did you try it with docker? I'm afraid it might do damage to host network (due to the oci hooks), if someone sets DisableNewNetNs and run it with docker.

[bergwolf]

Please use /proc/self/ns/net instead.

Or we can simply not to setup network namespace when DisableNewNetNs is set, in which case we can avoid setupNetworkNamespace() in kata cli and sandbox createNetwork()/removeNetwork().

[caoruidong]

Great! I have tried ns.GetCurrentNs() but forgot "/proc/self/ns/net".
I think it's better to skip setupNetworkNamespace(). Let's hear from others.

[WeiZhang555]

This can be treated as an advanced feature and can only be enabled by users who really understand what this option means, I think if user want to use docker libnetwork, they should keep this flag disabled, and only enable it when they want to do custom operations for network. Based on this, I suggest we make a conflict rule:

• disable_new_netns conflicts with enable_netmon
• disable_new_netns conflicts with internetworking_model=bridge and internetworking_model=macvtap, instead we add a new network model none. disable_new_netns works only with internetworking_model=none

According to rule, any violation should got an error.

[jodh-intel]

Sounds good to me but let's also get input from @sboeuf, @amshinde, @mcastelino.

[caoruidong]

@bergwolf I have tried it with docker. I think it doesn't break host network but gets an error failed to set gateway while updating gateway: network is unreachable. due to hook.
It works with --net=none

[mcastelino]

@sboeuf @amshinde I am surprised that --net=host did not cause any issues. Did you add new code that disabled networking when --net=host is setup? I understand --net=none working.

[amshinde]

@mcastelino Yes, --net=host has been diasbled explicitly, explicitly showing an error that this is not supported.

@caoruidong Is this feature for your custom networking?

disable_new_netns conflicts with enable_netmon
disable_new_netns conflicts with internetworking_model=bridge and internetworking_model=macvtap, instead we add a new network model none. disable_new_netns works only with internetworking_model=none

I agree with the error scenarios @WeiZhang555 pointed out. In addition, I think It would be a good idea to skip running the hooks altogether when disable_new_netns is true.

[sboeuf]

@caoruidong based on input from @WeiZhang555 and @bergwolf , I think we need to add some documentation as part of this PR.
Because this option should only be used by ppl who know what they're doing, please add both documentation in the code and into a .md file.

Last thing, I would greatly appreciate if you could explain clearly the use case for such thing, since this is going against what we've been doing in Kata, and unless we have a strong use case for it, I don't know if we want it.

[caoruidong]

@mcastelino It is documented in https://github.com/kata-containers/documentation/blob/master/Limitations.md#docker---net=host.
This is kind of custom use case, but originally comes from what we discuss in #113 (comment). Thanks to gnawux, he draws a picture #113 (comment).
I will add some documents after we reach a consensus.

[WeiZhang555]

I think It would be a good idea to skip running the hooks altogether when disable_new_netns is true.

@amshinde I'm not sure if there will be any new scenario depending on hook support in addition to "docker libnetwork", so maybe it's not good idea to disable hooks.

[jodh-intel]

I think it would be useful to add a link here to the following as that shows users visually more about how this will work:

• https://github.com/kata-containers/documentation/blob/master/architecture.md#networking

[caoruidong]

OK. I will add a PR in documentation repo.

[caoruidong]

@bergwolf Comments addressed in this PR.

[jshachm]

LGTM , and waiting for that we fix the strange error of CI.

[raravena80]

@caoruidong ping from your weekly Kata herder. Doing re-test?

[caoruidong]

@amshinde @sboeuf branch update

[sboeuf]

Thanks @caoruidong for all the reworks :)
LGTM

[caoruidong]

/test

[WeiZhang555]

LGTM.

As we got 4 LGTMs, I'll merge this now.
The design has been discussed a lot so I think it's safe to merge, we can keep improving detail implementation later.