[docker_image_ctl.j2] Share UTS namespace with host OS#4169
Merged
liat-grozovik merged 1 commit intosonic-net:masterfrom Feb 26, 2020
Merged
[docker_image_ctl.j2] Share UTS namespace with host OS#4169liat-grozovik merged 1 commit intosonic-net:masterfrom
liat-grozovik merged 1 commit intosonic-net:masterfrom
Conversation
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]>
stepanblyschak
requested review from
SuvarnaMeenakshi,
alguadam,
jleveque,
lguohan and
qiluo-msft
and removed request for
alguadam
nazariig
approved these changes
Feb 19, 2020
msosyak
approved these changes
Feb 19, 2020
qiluo-msft
approved these changes
Feb 19, 2020
Collaborator
qiluo-msft
left a comment
qiluo-msft
left a comment
There was a problem hiding this comment.
Thanks for this contribution!
jleveque
approved these changes
Feb 19, 2020
Contributor
|
Retest vsimage please |
Contributor
|
Thanks, @stepanblyschak! I think we could also safely cherry-pick this into the 201911 branch. Any objections? |
Collaborator
Author
|
@jleveque Sure, it should be in 201911 |
Collaborator
|
retest vsimage please |
Contributor
|
Retest vsimage please |
Collaborator
Author
|
retest vsimage please |
1 similar comment
Collaborator
|
retest vsimage please |
stepanblyschak
pushed a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
Feb 26, 2020
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]> Signed-off-by: Stepan Blyschak <[email protected]> Conflicts: files/build_templates/docker_image_ctl.j2
Collaborator
|
Should we also cherry-pick to 201811 branch? Are you aware of any dependencies, such as docker engine's version? |
Collaborator
Author
|
@qiluo-msft docker engine in 201811 supports this feature. Why do we need to cherry-pick this PR into 201811? The idea behind this PR was to replace updateHostName functionality with simpler approach, but 201811 does not update hostname inside containers. |
qiluo-msft
pushed a commit
to qiluo-msft/sonic-buildimage
that referenced
this pull request
Mar 4, 2020
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]>
Collaborator
|
I notice this PR could not directly cherry-pick, so submit a new one #4219. |
Contributor
|
@jleveque , based on Qi's last comment, is this PR still needed in 201911? If so, please remove the label and please confirm. Thanks. |
Contributor
|
@rlhui: Qi's comment is regarding the 201811 branch. This PR still needs to be cherry-picked into 201911. |
rlhui
pushed a commit
that referenced
this pull request
Mar 23, 2020
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]>
tiantianlv
pushed a commit
to SONIC-DEV/sonic-buildimage
that referenced
this pull request
Apr 24, 2020
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]>
mssonicbld
added a commit
that referenced
this pull request
Mar 13, 2026
…lly (#25846) #### Why I did it src/sonic-swss ``` * 4b8f6494 - (HEAD -> master, origin/master, origin/HEAD) Merge pull request #4261 from bibhuprasad-hcl/bibhu_swss_p4_branch14 (2 hours ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log a367ddb2 - [P4Orch] Remove code associated with old L3 multicast database format. (6 hours ago) [mint570] |/ * f94622ab - Optimize memory usage in ResponsePublisher queue (#4328) (7 hours ago) [Santhosh Thodupunoori] * dc7210f3 - Merge pull request #4258 from bibhuprasad-hcl/bibhu_swss_p4_branch_11_12_13 (8 hours ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 49df9e7d - [P4Orch]Migrate to use updateMulticastGroupEntries, verifyState to new database schema format, processMulticastGroupEntries and drainMulticastGroupEntries. (13 hours ago) [mint570] |/ * d084258b - Suppressing the ERR logs (#4265) (35 hours ago) [Dhanasekar Rathinavel] * 6a931d91 - Fix debug flexcounter uninstall to skip non-PHY ports (#4103) (2 days ago) [manish1-arista] * fa37c5c7 - [Marvell-Teralynx][PFCWD]: Fix pfc_detect filename to align with asic_type (#3968) (2 days ago) [jithenderkondam] * 57b12c1f - Merge pull request #4238 from ksravani-hcl/p4orch_g3 (4 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 6b52aae4 - Add IPv6 src IP as new ternary key field for table ipv6_tunnel_termination_table (6 days ago) [mint570] |/ * e09a0d0f - Merge pull request #4169 from divyagayathri-hcl/ip_multicast_5 (6 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log b96ec617 - [P4Orch] Implement drain, validate and verifyState entry functions in IP multicast table manager. (6 days ago) [mint570] |/ * bebc9e43 - Merge pull request #4163 from divyagayathri-hcl/ip_multicast_3 (6 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 0df5456a - [P4Orch] Implement createIpMulticastEntries, deleteIpMulticastEntries & updateIpMulticastEntries in new IP multicast table manager. (7 days ago) [mint570] |/ * 558a6d81 - Merge pull request #4175 from ksravani-hcl/sws_7 (7 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 45a1e14d - Enable use of SAI L2 multicast and add p4orch mocks (7 days ago) [mint570] |/ * 6daa5cea - Merge pull request #4147 from divyagayathri-hcl/sws_4 (7 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 2ffdab3c - Add TunnelDecapGroupManager (8 days ago) [mint570] |/ * ef371099 - Merge pull request #4082 from divyagayathri-hcl/set_ip_nexthop_and_disable_rewrites (8 days ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log c1f53c5c - Merge branch 'master' into set_ip_nexthop_and_disable_rewrites (8 days ago) [divyagayathri-hcl] | |\ | |/ |/| * | e108aec3 - [DASH] Add support for multiple trusted VNI ranges and values (#4252) (8 days ago) [Lawrence Lee] * | 54261942 - Merge pull request #4132 from divyagayathri-hcl/18_multicast (9 days ago) [StephenWangGoogle] |\ \ | failure_prs.log skip_prs.log | dc55967f - [P4Orch] Update route manager & verifyState validate functions and to implement drain rout entried to support multicast action. (9 days ago) [mint570] |/ / | failure_prs.log skip_prs.log aba11043 - [P4Orch] Add support for action set_ip_nexthop_and_disable_rewrites in the next hop manager. (10 days ago) [mint570] |/ * 3f77e90c - Merge pull request #4250 from bibhuprasad-hcl/bibhu_swss_p4_branch_8_9_10 (10 days ago) [StephenWangGoogle] * 179e86f9 - [P4Orch] Migrate to new schema format for REPLICATION_MULTICAST_TABLE and to use addMulticastGroupEntries and deleteMulticastGroupEntries. (11 days ago) [mint570] ``` #### How I did it #### How to verify it #### Description for the changelog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Instead of updating hostname manualy on Config DB hostname change,
simply share containers UTS namespace with host OS.
Ideally, instead of setting
--uts=hostfor every container in SONiC,this setting can be set per container if feature requires.
One behaviour change is introduced in this commit, when
--privilegedor
--cap-add=CAP_SYS_ADMINand--uts=hostare combined, containerhas privilege to change host OS and every other container hostname.
Such privilege should be fixed by limiting containers capabilities.
Signed-off-by: Stepan Blyschak [email protected]
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)