gvisor icon indicating copy to clipboard operation
gvisor copied to clipboard
verified publisher icon google

network=sandbox is broken when using ip route add default dev wg0

Open ghost opened this issue 2 years ago • 6 comments

Description

When the network namespace is set up such as: (wireguard)

ip -n inet_47 link set wg0 up
ip -n inet_47 route add default dev wg0

ip r
default dev wg0 scope link

--network=sandbox is not functional:

running container: starting container: setting up network: creating interfaces from net namespace "/proc/2457/ns/net": getting routes for interface "wg0": default route with no gateway "wg0": {Ifindex: 5 Dst: <nil> Src: <nil> Gw: <nil> Flags: [] Table: 254 Realm: 0}

--network=host is functional.

config.json includes:

    "linux": {
        "namespaces": [
...
            {
                "type": "network",
                "path": "/var/run/netns/inet_47"
            }

Steps to reproduce

sudo runsc --root ./ --platform=kvm --ignore-cgroups run test

runsc version

nightly today

ghost avatar Feb 19 '23 04:02 ghost

It seems like the error is accurate: gVisor copies the routes from the network namespace, and it fails if a default route has no gateway. It doesn't know what to do with it.

Do you know what the point of the gateway-less default route is? And what's the output of ip -n inet_47 link show wg0? We might be able to support this, but we need to know what's actually happening first.

kevinGC avatar Feb 22 '23 20:02 kevinGC

The point is that as with some commercial VPN's, keeping track of the gateway can be a hassle. And setting the route to default to the interface itself just works in those settings.

4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none

Ultimately, it's not a big deal, setting up anonymous netns with veth or ipvlan is not an issue. Would be nice to have it supported though.

ghost avatar Feb 22 '23 20:02 ghost

So IIUC the default gateway-less route is saying "instead of sending default traffic to a gateway, just send it out via this device". We could, I think, support this.

kevinGC avatar Feb 22 '23 21:02 kevinGC

A friendly reminder that this issue had no activity for 120 days.

github-actions[bot] avatar Sep 13 '23 00:09 github-actions[bot]

I hit this issue today with a commercial wireguard vpn interface just like @jackloomen . While debugging I noticed that there is a check disallowing sandbox networking in the root namespace (search for "cannot run with network enabled in root network namespace" in network.go). Is there a technical reason for this restriction? I ask because the namespace containing my wireguard vpn interface was created by me, not by docker/podman, and i'm wondering if the same restriction would also apply to my wireguard namespace for similar (security?) reasons.

chetan-reddy avatar Sep 15 '23 03:09 chetan-reddy

A friendly reminder that this issue had no activity for 120 days.

github-actions[bot] avatar Jan 14 '24 00:01 github-actions[bot]

This issue has been closed due to lack of activity.

github-actions[bot] avatar Apr 14 '24 00:04 github-actions[bot]