[docker_image_ctl.j2] Share UTS namespace with host OS (#4169)#4219
Closed
qiluo-msft wants to merge 1 commit intosonic-net:201811from
Closed
[docker_image_ctl.j2] Share UTS namespace with host OS (#4169)#4219qiluo-msft wants to merge 1 commit intosonic-net:201811from
qiluo-msft wants to merge 1 commit intosonic-net:201811from
Conversation
Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <[email protected]>
jleveque
reviewed
Mar 4, 2020
| # TODO: Mellanox will remove the --tmpfs exception after SDK socket path changed in new SDK version | ||
| {%- endif %} | ||
| docker create {{docker_image_run_opt}} \ | ||
| --uts=host \{# W/A: this should be set per-docker, for those dockers which really need host's UTS namespace #} |
Contributor
There was a problem hiding this comment.
Can you think of an instance where we would not want to share the host's UTS namespace?
Collaborator
Author
There was a problem hiding this comment.
I cannot 😄
This is a modified cherry-pick following master branch.
In reply to: 387377484 [](ancestors = 387377484)
Contributor
There was a problem hiding this comment.
😄 Then maybe add a "maybe" to the beginning of the comment?
Collaborator
There was a problem hiding this comment.
@jleveque @qiluo-msft I think swss, syncd, pmon don't need to care about the hostname, if they do IMO it looks like a design mistake. The idea behind docker containers is isolation, why do we need docker containers at all if we want to share and map inside container almost everything?
Besides, --priviledge + --uts=host will give container priviledges to change host OS hostname.
The only containers I know which need host's hostname inside container are snmp and dhcp_relay but it doesn't look like they need --priviledge option or do they?
I would like to keep this comment and revise containers isolation in sonic in general in the future.
stepanblyschak
approved these changes
Mar 4, 2020
Collaborator
|
why do we need this in 201811? |
Collaborator
Author
|
Closed since we already fixed it in #4241 and this PR is not needed. |
mssonicbld
added a commit
that referenced
this pull request
Feb 25, 2026
…lly (#25637) #### Why I did it src/sonic-swss ``` * dbe0768e - (HEAD -> master, origin/master, origin/HEAD) Fix the "Invalid BUFFER QUEUE" error (#4224) (6 hours ago) [saksarav-nokia] * d29d7ea1 - This patch is to fix a major bug in the for loop of the function AclRange::remove. (#4256) (9 hours ago) [ashishalok-arista] * 35288a65 - Fix performance issue in fpmsyncd for non-ZMQ configuration (#4219) (9 hours ago) [venkit-nexthop] * 1c384fb6 - Merge pull request #4022 from ksravani-hcl/swss_1 (12 hours ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 36d98d61 - Enable response pipeline for P4Orch. (22 hours ago) [mint570] |/ * 63860664 - [build] Add docker-based build environment (#3715) (22 hours ago) [Lawrence Lee] * 26ec7561 - [buffermgrd] Wait for lossless buffer profile to be applied to SAI (#4154) (23 hours ago) [ganglv] * 599eae77 - [tunnel] use warning message when setting a create-only attribute (#4212) (27 hours ago) [Yakiv Huryk] * ebf8c73f - [orchagent] Fix getopt string for -R option (ring_thread_enabled regression) (#4207) (27 hours ago) [Chiranjeevi U - MapleLabs] * aa081017 - Avoid using an uninitialized source MAC address (#4201) (28 hours ago) [Andriy Yurkiv] * 2a258c2 - Added mux neighbor_mode support with prefix-route (#4152) (31 hours ago) [manamand2020] * 9616cd52 - [ci] Install redis from Debian (#4241) (34 hours ago) [Saikrishna Arcot] ``` #### How I did it #### How to verify it #### Description for the changelog
FengPan-Frank
pushed a commit
to FengPan-Frank/sonic-buildimage
that referenced
this pull request
Mar 6, 2026
…lly (sonic-net#25637) #### Why I did it src/sonic-swss ``` * dbe0768e - (HEAD -> master, origin/master, origin/HEAD) Fix the "Invalid BUFFER QUEUE" error (sonic-net#4224) (6 hours ago) [saksarav-nokia] * d29d7ea1 - This patch is to fix a major bug in the for loop of the function AclRange::remove. (sonic-net#4256) (9 hours ago) [ashishalok-arista] * 35288a65 - Fix performance issue in fpmsyncd for non-ZMQ configuration (sonic-net#4219) (9 hours ago) [venkit-nexthop] * 1c384fb6 - Merge pull request sonic-net#4022 from ksravani-hcl/swss_1 (12 hours ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 36d98d61 - Enable response pipeline for P4Orch. (22 hours ago) [mint570] |/ * 63860664 - [build] Add docker-based build environment (sonic-net#3715) (22 hours ago) [Lawrence Lee] * 26ec7561 - [buffermgrd] Wait for lossless buffer profile to be applied to SAI (sonic-net#4154) (23 hours ago) [ganglv] * 599eae77 - [tunnel] use warning message when setting a create-only attribute (sonic-net#4212) (27 hours ago) [Yakiv Huryk] * ebf8c73f - [orchagent] Fix getopt string for -R option (ring_thread_enabled regression) (sonic-net#4207) (27 hours ago) [Chiranjeevi U - MapleLabs] * aa081017 - Avoid using an uninitialized source MAC address (sonic-net#4201) (28 hours ago) [Andriy Yurkiv] * 2a258c2 - Added mux neighbor_mode support with prefix-route (sonic-net#4152) (31 hours ago) [manamand2020] * 9616cd52 - [ci] Install redis from Debian (sonic-net#4241) (34 hours ago) [Saikrishna Arcot] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: Feng Pan <[email protected]>
mssonicbld
added a commit
that referenced
this pull request
Mar 13, 2026
…atically (#25254) #### Why I did it src/sonic-utilities ``` * 20a7131b - (HEAD -> master, origin/master, origin/HEAD) clear: make --namespace optional for arp and ndp commands (#4355) (5 minutes ago) [Oleksandr Ivantsiv] * f56e4a78 - show version: replace --verbose with --brief flag (#4350) (20 hours ago) [Ashwin Srinivasan] * 5e50cf3d - Wait for monit monitor <service> operation to complete during config (#4295) (23 hours ago) [Hemanth Kumar Tirupati] * 0306ea20 - Change sensorshow conn to use TCP socket (#4343) (2 days ago) [Chenyang Wang] * cb5b3e82 - Fix route_check.py redis client memory usage (#4217) (2 days ago) [Roee Bar] * e93a5c3c - config: allow golden config to override mac, platform, asic_id (#4348) (2 days ago) [securely1g] * 0024c8d4 - Add non -B- hwsku names as well (#4331) (2 days ago) [dakotac-arista] * eb7301cc - Fix unit tests (#4345) (3 days ago) [william8545] * 052199c0 - [Arista] Add Arista-7050CX3-32C-C28S4 to generic_config_updater (#4257) (4 days ago) [byu343] * ed68290a - Add multi-ASIC namespace support for show/config subinterface(s) command (#4298) (4 days ago) [william8545] * 9c9f099d - New CLI proposal for PHY diagnostics (#4214) (4 days ago) [Prince George] * 9e3373df - Fix generate_dump to preserve per-ASIC subdirectory structure for sdk_dbg collection (#4334) (4 days ago) [william8545] * 3fe8972f - Add multi-ASIC namespace support for ARP/NDP show and clear commands (#4231) (4 days ago) [Oleksandr Ivantsiv] * be5fe2aa - Add multi-ASIC namespace support for VLAN and FDB operations (#4230) (4 days ago) [Oleksandr Ivantsiv] * e74fca78 - Add multi-ASIC namespace support for static route commands (#4269) (4 days ago) [Oleksandr Ivantsiv] * 599e7c71 - Add multi-ASIC namespace support for ACL table add/remove commands (#4270) (4 days ago) [Oleksandr Ivantsiv] * d09d6cd6 - Add CLI support for "show interfaces <intf> <phy-signal/phy-serdes>" commands (#4312) (4 days ago) [prajjwal-arista] * 345f5686 - Add multi-asic namespace support for IPv6 link-local commands (#4289) (4 days ago) [william8545] * edd4b190 - Add multi-asic namespace support for crm show resources command (#4290) (4 days ago) [william8545] * 2b52a051 - [multi-asic] Add namespace support for vxlan and vnet show/config commands (#4299) (4 days ago) [william8545] * 03160905 - [fast-reboot][cosmetic] Fixed debug/error prints with the correct reboot type (#4285) (4 days ago) [Yair Raviv] * 6eedf8a7 - [warm-reboot][multi-asic] Added error-handling for faulty ASIC/s after orchagent freeze (#4297) (4 days ago) [Yair Raviv] * 2330bab5 - [BMC] Add new BMC CLIs for manual session management and reset root password (#4238) (4 days ago) [Ben Levi] * 4d0cc933 - Fix issue: pmon services's restart count is not cleared during config reload (#4314) (4 days ago) [Stephen Sun] * 0a1bbc55 - Fix the generate_dump for BCM Asic Q3D (#4326) (6 days ago) [saksarav-nokia] * 1580ccce - GCU generates suboptimal plan for CreateOnly paths (#4335) (6 days ago) [Brad House - Nexthop] * 369e703e - GCU: Add path tracing support (#4317) (7 days ago) [Brad House - Nexthop] * bc05e1a4 - [GCU]: Restart telemetry container on port speed change via GCU to handle OID update (#4248) (7 days ago) [Xincun Li] * 73f1ea51 - Fix warning messages due to nose test deprecation (#4322) (8 days ago) [Brad House - Nexthop] * ebfefbd8 - [Arista] Add TH5 HWSKU to list for pfcwd support (#4329) (8 days ago) [dakotac-arista] * 0d969b85 - [DPU] Add support for HA Set Counters (#4283) (8 days ago) [Connor Roos] * 44f8c37b - [DPU] Add CLI to trigger and dump flows (#4278) (8 days ago) [Vivek] * 76bf567e - [show interfaces] "show interfaces flap" command does not support multi-ASIC platforms (#4316) (9 days ago) [pnakka28] * 2ec21e19 - Limit PFC WD Detection time to maximum value of 1000ms (#4306) (9 days ago) [Hemanth Kumar Tirupati] * 99b1b76a - Modified dualtor_neighbor_check to use mux neighbor_mode (#4227) (10 days ago) [manamand2020] * 5dfd11ed - Fix 'show version' KeyError when sonic_version.yml has missing fields (#4324) (10 days ago) [securely1g] * 4c77f9d4 - fix: skip PORT_INGRESS/EGRESS_MIRROR_CAPABLE check for ERSPAN mirror sessions (#4323) (11 days ago) [bingwang-ms] * d8d2a39e - fix scapy delayed import when we have large routes (#4315) (11 days ago) [Hemanth Kumar Tirupati] * c6601cda - [LACP retry-count] Syntax Fix for Trixie (#4274) (11 days ago) [Yair Raviv] * f54d0a7c - Add fsync to config save to persist config across power cycle (#4313) (11 days ago) [Jianyue Wu] * e5f77f61 - Fix unit test assertions broken by spelling typo PRs (#4321) (13 days ago) [rustiqly] * 7660b19f - Fix spelling typos in muxcable modules (#4259) (2 weeks ago) [rustiqly] * f7d820f3 - Fix spelling typos in config/main.py (#4261) (2 weeks ago) [rustiqly] * 244942bd - Fix spelling typos in scripts/ (#4262) (2 weeks ago) [rustiqly] * 89001b10 - Fix spelling typos in show/ and clear/ modules (#4263) (2 weeks ago) [rustiqly] * d6e646c2 - Fix spelling typos in config/config_mgmt.py (#4260) (2 weeks ago) [rustiqly] * e244129c - Fix spelling typos in config/nat.py (#4258) (2 weeks ago) [rustiqly] * 5a0c48f0 - In route_check.py, Convey the IJSON Backend using an env variable (#4294) (2 weeks ago) [venkit-nexthop] * e2712fc1 - Fix spelling typos across utilities_common, config plugins, and misc modules (#4264) (2 weeks ago) [rustiqly] * 4211edee - Fixed show vxlan remotemac ambiguity (#4121) (2 weeks ago) [Gnanapriya [Marvell]] * cfd23f97 - Add FEC histograms to generate_dump output (#4244) (2 weeks ago) [Fraser Gordon] * 8882a633 - [storm-control] Fixed show storm-control interface command display (#4122) (2 weeks ago) [Gnanapriya [Marvell]] * 7a1e656e - [fibshow]: Fix exception when blackhole routes are present (#4189) (2 weeks ago) [Ravi Minnikanti(Marvell)] * 2b3f14de - [marvell-teralynx] Enhance techsupport to include HWSKU configs (#4161) (3 weeks ago) [Naveen-Rampuram] * 9cb7b3e6 - Merge pull request #4275 from tirupatihemanth/fix_scapy_lagkeepalive (3 weeks ago) [Ying Xie] |\ | failure_prs.log skip_prs.log 7e54ddff - Fix delayed scapy import when we have a lot of routes (3 weeks ago) [Hemanth Kumar Tirupati] * | cbb31f0d - [multi-asic] fix utilities_common Db helper (#4273) (3 weeks ago) [Yakiv Huryk] * | f65ddfa2 - Prevent early exit of reboot status (#4282) (3 weeks ago) [Gagan Punathil Ellath] * | 14840074 - [fast-reboot] Remove teamsyncd timer override by fast-boot (#4233) (3 weeks ago) [Yair Raviv] * | a3085380 - [lag_keepalive] add `--namespace` option (#4194) (4 weeks ago) [Yair Raviv] * | abc8bba1 - [teamd_retry_count] Add support for --namespace parameter (#4195) (4 weeks ago) [Yair Raviv] * | c05d995c - [warm/fast-reboot] check per-ASIC FW upgrade status (#4196) (4 weeks ago) [Yair Raviv] * | 433d01c1 - [check_db_integrity] Add NETNS environment (#4197) (4 weeks ago) [Yair Raviv] * | 441595c7 - [centralize_database] Add --namespace option (#4198) (4 weeks ago) [Yair Raviv] * | 0f3b5291 - [multi-asic][warm-reboot] Support warm-reboot on Multi-ASIC systems (#4199) (4 weeks ago) [Yair Raviv] * | 28623ca9 - [multi-asic][warm_restart] add Multi-ASIC support for warm_restart commands (#4200) (4 weeks ago) [Yair Raviv] * | 3cd228af - Add filesystem sync after plugin installation (#4251) (4 weeks ago) [Jianyue Wu] * | 1d78c210 - Add .github/copilot-instructions.md for AI-assisted development (#4271) (4 weeks ago) [rustiqly] * | 7895da57 - Fix dump port state CLI command crash on multi-asic platforms (#4229) (4 weeks ago) [Setu Patel] |/ * bcb1d4bb - Clearing /tmp/tmp* is unsafe with parallel builds (#4268) (4 weeks ago) [Brad House - NextHop] * 8103627e - Fix sonic-utilities submodule update failure due to ijson library (#4256) (4 weeks ago) [venkit-nexthop] * 85becedc - [Mellanox] Add restricted sysfs to fw control list (#4240) (4 weeks ago) [Noa Or] * 275bdc6c - Add multi-asic support for sonic-clear queue wredcounters and counter poll , --nonzero support for show queue wredcounters (#4152) (5 weeks ago) [saksarav-nokia] * fbc85ee4 - Fix j2 files not getting packaged (#4250) (5 weeks ago) [Saikrishna Arcot] * a9543cba - Fix route_check.py to not hog a lot of memory (#4205) (5 weeks ago) [venkit-nexthop] * 40260d5b - Fix JsonMove._get_value to Support Both String and Integer List Indices (#4237) (5 weeks ago) [Xincun Li] * 0a3ef184 - refactor: enhance show bfd summary command (#4242) (5 weeks ago) [Chenyang Wang] * 7c6dfdc2 - Update the error message for sfputil debug loopback command (#4224) (5 weeks ago) [Ariz Zubair] * f246da25 - [Fast-linkup] Added CLIs for config/show (#4182) (6 weeks ago) [Yair Raviv] * 87703c1 - Use Singleton PlatformDataProvider to reduce module import time (#4183) (6 weeks ago) [Hemanth Kumar Tirupati] * 0dae5f2 - [sfputil] Fix issue: should not do low power mode or reset for non-present ports (#4206) (6 weeks ago) [Junchao-Mellanox] * 5f56518 - generate_dump: add interface FEC stats (#4093) (6 weeks ago) [Fraser Gordon] * 2e9e81c - [GCU] Update WRED_PROFILE and BUFFER_POOL validators for GCU (#4219) (6 weeks ago) [Dev Ojha] * 2350203 - Update bash completions for sonic-utilities commands (#4163) (6 weeks ago) [Saikrishna Arcot] * 5052e02 - Fix the PSU show command error message on platform without psu at all (#4151) (6 weeks ago) [Yuanzhe] * 7d9ec5d - Fix issue that namespace is not correctly fetched in Multi ASIC environment for mirror capability checking (#4159) (6 weeks ago) [Stephen Sun] * f473b4f - Fix multi asic initialization for dump command (#4108) (6 weeks ago) [Gagan Punathil Ellath] * 0f45e43 - Add current and configured frequency to DOM CLI (#4209) (7 weeks ago) [Ariz Zubair] * 6f0b181 - Added counterpoll CLI support (#4106) (7 weeks ago) [Dhanasekar Rathinavel] * 3d5bef9 - [multi-asic][Mellanox] Add multi-ASIC support for generate_dump and update FW upgrade script (#4192) (7 weeks ago) [Oleksandr Ivantsiv] * 8451f01 - sonic-utilities: Support for clearing aggregate VOQ counters(#2001) (#4044) (8 weeks ago) [manish1-arista] * 21f013f - Add q3d SKUs to gcu_field_operation_validators.conf.json (#4201) (8 weeks ago) [HP] * 1a15091 - Fix multi asic connection creation (#4109) (8 weeks ago) [Gagan Punathil Ellath] ``` #### How I did it #### How to verify it #### Description for the changelog
dprital
pushed a commit
that referenced
this pull request
Mar 19, 2026
…lly (#25637) #### Why I did it src/sonic-swss ``` * dbe0768e - (HEAD -> master, origin/master, origin/HEAD) Fix the "Invalid BUFFER QUEUE" error (#4224) (6 hours ago) [saksarav-nokia] * d29d7ea1 - This patch is to fix a major bug in the for loop of the function AclRange::remove. (#4256) (9 hours ago) [ashishalok-arista] * 35288a65 - Fix performance issue in fpmsyncd for non-ZMQ configuration (#4219) (9 hours ago) [venkit-nexthop] * 1c384fb6 - Merge pull request #4022 from ksravani-hcl/swss_1 (12 hours ago) [StephenWangGoogle] |\ | failure_prs.log skip_prs.log 36d98d61 - Enable response pipeline for P4Orch. (22 hours ago) [mint570] |/ * 63860664 - [build] Add docker-based build environment (#3715) (22 hours ago) [Lawrence Lee] * 26ec7561 - [buffermgrd] Wait for lossless buffer profile to be applied to SAI (#4154) (23 hours ago) [ganglv] * 599eae77 - [tunnel] use warning message when setting a create-only attribute (#4212) (27 hours ago) [Yakiv Huryk] * ebf8c73f - [orchagent] Fix getopt string for -R option (ring_thread_enabled regression) (#4207) (27 hours ago) [Chiranjeevi U - MapleLabs] * aa081017 - Avoid using an uninitialized source MAC address (#4201) (28 hours ago) [Andriy Yurkiv] * 2a258c2 - Added mux neighbor_mode support with prefix-route (#4152) (31 hours ago) [manamand2020] * 9616cd52 - [ci] Install redis from Debian (#4241) (34 hours ago) [Saikrishna Arcot] ``` #### How I did it #### How to verify it #### Description for the changelog Signed-off-by: dprital <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Instead of updating hostname manualy on Config DB hostname change,
simply share containers UTS namespace with host OS.
Ideally, instead of setting
--uts=hostfor every container in SONiC,this setting can be set per container if feature requires.
One behaviour change is introduced in this commit, when
--privilegedor
--cap-add=CAP_SYS_ADMINand--uts=hostare combined, containerhas privilege to change host OS and every other container hostname.
Such privilege should be fixed by limiting containers capabilities.
Signed-off-by: Stepan Blyschak [email protected]
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)