bypass4netns icon indicating copy to clipboard operation
bypass4netns copied to clipboard

Published 20 hours ago verified publisher icon rootless-containers

Running with bypass4netns on kubernetes docker in docker

Open dcarrion87 opened this issue 2 years ago • 6 comments

I've been having a read of https://pibvt.net/IPSJ-OS22156009.pdf and trying to understand how we can implement bypass4netns into our existing Kubernetes based docker in docker implementation.

I'm not entirely sure where this would need to run. We currently launch rootless docker in docker host using: https://github.com/harrison-ai/cobalt-docker-rootless-nvidia-dind/blob/main/entrypoint.sh.

Would we run bypass4net inside that container or on the underlying host itself, presenting the socket all the way through?

Ideally we could run it in the container and pass through a seccomp profile and keep it all. but I fear that bypass4net needs to actually listen on the host itself?

dcarrion87 avatar Jan 17 '23 11:01 dcarrion87

@AkihiroSuda would be great to get your thoughts on this one.

dcarrion87 avatar Jan 17 '23 22:01 dcarrion87

Didn't try your script but it should work in a container

AkihiroSuda avatar Jan 17 '23 23:01 AkihiroSuda

@AkihiroSuda thanks for the response.

All good I absolutely do not expect you to run it. At the moment just trying to get an understanding of what may / may not work.

At the moment we run it like this:

[ kubernetes host ] -> [ dind host container ] -> [ docker in docker containers kicked off by users]

Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.

Or does bypass4net need to run on the kubernetes host and the socket presented all the way through to the dind container.

I am attempting to run in container at the moment and the calls don't seem to be coming through and it hangs on load if I have a notify rule in the seccomp profile.

dcarrion87 avatar Jan 17 '23 23:01 dcarrion87

@AkihiroSuda any more thoughts with more info provided in https://github.com/rootless-containers/bypass4netns/issues/37#issuecomment-1386226678 ?

dcarrion87 avatar Jan 18 '23 21:01 dcarrion87

Hi @AkihiroSuda just checking if you have any more thoughts. We cannot get this feature to work.

dcarrion87 avatar Feb 05 '23 21:02 dcarrion87

Is it possible to run the bypass4net seccomp agent in the "dind host container" such that when users kick off those docker in docker containers with the appropriate seccomp profile the syscalls are intercepted by bypass4net listening in the host container under those constraints.

Probably yes, but didn't try by myself

AkihiroSuda avatar Feb 07 '23 04:02 AkihiroSuda