Use shareable IPC for sandbox container#70826
Conversation
|
Hi @kolyshkin. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/check-cla |
|
/ok-to-test |
|
/assign @vishh |
|
CI failure:
looks more like a glitch in the test env (although I'm not an expert here) |
|
@vishh PTAL |
|
/retest |
Currently, Docker make IPC of every container shareable by default, which means other containers can join it's IPC namespace. This is implemented by creating a tmpfs mount on the host, and then bind-mounting it to a container's /dev/shm. Other containers that want to share the same IPC (and the same /dev/shm) can also bind-mount the very same host's mount. Now, since moby/moby@7120976d7 (moby/moby#34087) there is a possiblity to have per-daemon default of having "private" IPC mode, meaning all the containers created will have non-shareable /dev/shm. For shared IPC to work in the above scenario, we need to explicitly make the "pause" container's IPC mode as "shareable", which is what this commit does. To test: add "default-ipc-mode: private" to /etc/docker/daemon.json, try using kube as usual, there should be no errors. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
17ae115 to
1dca64f
Compare
|
rebased to master HEAD (clean rebase) |
|
apparently CI failure was caused by the broken master -- rebase has fixed this. |
|
What would help with older versions of the docker? Maybe there is need for some docker version check? |
|
/assign @yujuhong |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kolyshkin, yujuhong The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-kubernetes-godeps |
Currently, Docker make IPC of every container shareable by default,
which means other containers can join it's IPC namespace. This is
implemented by creating a tmpfs mount on the host, and then
bind-mounting it to a container's /dev/shm. Other containers
that want to share the same IPC (and the same /dev/shm) can also
bind-mount the very same host's mount.
Now, since moby/moby@7120976d7
(moby/moby#34087) there is a possiblity
to have per-daemon default of having "private" IPC mode,
meaning all the containers created will have non-shareable
/dev/shm.
For shared IPC to work in the above scenario, we need to
explicitly make the "pause" container's IPC mode as "shareable",
which is what this commit does.
To test: add "default-ipc-mode: private" to /etc/docker/daemon.json,
try using kube as usual, there should be no errors.
/kind bug