0

Would there be a way to get runC to start a container without restricting its network access? After reading a little about cgroups I imagine it would be technically possible; but not sure how / if runC would expose this option (or perhaps some other piece of the container running environment if not runC) When using containers for encapsulating development environments; its a frequent use case to not require multiple instances of the container, and being able to interact against it using localhost would be useful.

Thanks, Brent

brent
  • 1,005
  • 8
  • 26
  • The network stuff is not about cgroups, it is about namespaces. Playing with Docker with `runc` as a runtime shows that you can configure `runc` to use the host network namespace using something like `"namespaces": [{"type": "network", "path": "/var/run/docker/netns/default"}]` in your bundle's `config.json`, where `/var/run/docker/netns/default` is a bind-mount of a namespace file for the root network namespace (e.g. `/proc/1/ns/net`). That said, you could try the same (I have no time for testing right now), this seems to be enough to make `runc` to use the host network namespace. – Danila Kiver Apr 12 '20 at 23:57
  • This is what [the spec says](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces): you can either specify an optional `path` to a namespace file or even make the runtime inherit the namespace implicitly by omitting it in your `config.json`. – Danila Kiver Apr 13 '20 at 00:02

0 Answers0