fix: add wrap with detach net ns

Signed-off-by: Alessio Greggi <[email protected]>
containerd · Mar 5, 2024 · f59d981 · f59d981
1 parent 7cbdedd
commit f59d981
Showing 1 changed file with 57 additions and 54 deletions.
diff --git a/pkg/cmd/container/kill.go b/pkg/cmd/container/kill.go
@@ -36,6 +36,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/netutil"
 	"github.com/containerd/nerdctl/v2/pkg/netutil/nettype"
 	"github.com/containerd/nerdctl/v2/pkg/portutil"
+	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
 	"github.com/moby/sys/signal"
 )
 
@@ -118,72 +119,74 @@ func killContainer(ctx context.Context, container containerd.Container, signal s
 
 // cleanupNetwork removes cni network setup, specifically the forwards
 func cleanupNetwork(ctx context.Context, container containerd.Container, globalOpts types.GlobalCommandOptions) error {
-	// retrieve info to get current active port mappings
-	info, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)
-	if err != nil {
-		return err
-	}
-	ports, portErr := portutil.ParsePortsLabel(info.Labels)
-	if portErr != nil {
-		return fmt.Errorf("no oci spec: %q", portErr)
-	}
-	portMappings := []gocni.NamespaceOpts{
-		gocni.WithCapabilityPortMap(ports),
-	}
-
-	// retrieve info to get cni instance
-	spec, err := container.Spec(ctx)
-	if err != nil {
-		return err
-	}
-	networksJSON := spec.Annotations[labels.Networks]
-	var networks []string
-	if err := json.Unmarshal([]byte(networksJSON), &networks); err != nil {
-		return err
-	}
-	netType, err := nettype.Detect(networks)
-	if err != nil {
-		return err
-	}
-
-	switch netType {
-	case nettype.Host, nettype.None, nettype.Container:
-		// NOP
-	case nettype.CNI:
-		e, err := netutil.NewCNIEnv(globalOpts.CNIPath, globalOpts.CNINetConfPath, netutil.WithDefaultNetwork())
+	return rootlessutil.WithDetachedNetNSIfAny(func() error {
+		// retrieve info to get current active port mappings
+		info, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)
 		if err != nil {
 			return err
 		}
-		cniOpts := []gocni.Opt{
-			gocni.WithPluginDir([]string{globalOpts.CNIPath}),
+		ports, portErr := portutil.ParsePortsLabel(info.Labels)
+		if portErr != nil {
+			return fmt.Errorf("no oci spec: %q", portErr)
+		}
+		portMappings := []gocni.NamespaceOpts{
+			gocni.WithCapabilityPortMap(ports),
 		}
-		netMap, err := e.NetworkMap()
+
+		// retrieve info to get cni instance
+		spec, err := container.Spec(ctx)
 		if err != nil {
 			return err
 		}
-		for _, netstr := range networks {
-			net, ok := netMap[netstr]
-			if !ok {
-				return fmt.Errorf("no such network: %q", netstr)
-			}
-			cniOpts = append(cniOpts, gocni.WithConfListBytes(net.Bytes))
+		networksJSON := spec.Annotations[labels.Networks]
+		var networks []string
+		if err := json.Unmarshal([]byte(networksJSON), &networks); err != nil {
+			return err
 		}
-		cni, err := gocni.New(cniOpts...)
+		netType, err := nettype.Detect(networks)
 		if err != nil {
 			return err
 		}
 
-		var namespaceOpts []gocni.NamespaceOpts
-		namespaceOpts = append(namespaceOpts, portMappings...)
-		namespace := spec.Annotations[labels.Namespace]
-		fullID := namespace + "-" + container.ID()
-		if err := cni.Remove(ctx, fullID, "", namespaceOpts...); err != nil {
-			log.L.WithError(err).Errorf("failed to call cni.Remove")
-			return err
+		switch netType {
+		case nettype.Host, nettype.None, nettype.Container:
+			// NOP
+		case nettype.CNI:
+			e, err := netutil.NewCNIEnv(globalOpts.CNIPath, globalOpts.CNINetConfPath, netutil.WithDefaultNetwork())
+			if err != nil {
+				return err
+			}
+			cniOpts := []gocni.Opt{
+				gocni.WithPluginDir([]string{globalOpts.CNIPath}),
+			}
+			netMap, err := e.NetworkMap()
+			if err != nil {
+				return err
+			}
+			for _, netstr := range networks {
+				net, ok := netMap[netstr]
+				if !ok {
+					return fmt.Errorf("no such network: %q", netstr)
+				}
+				cniOpts = append(cniOpts, gocni.WithConfListBytes(net.Bytes))
+			}
+			cni, err := gocni.New(cniOpts...)
+			if err != nil {
+				return err
+			}
+
+			var namespaceOpts []gocni.NamespaceOpts
+			namespaceOpts = append(namespaceOpts, portMappings...)
+			namespace := spec.Annotations[labels.Namespace]
+			fullID := namespace + "-" + container.ID()
+			if err := cni.Remove(ctx, fullID, "", namespaceOpts...); err != nil {
+				log.L.WithError(err).Errorf("failed to call cni.Remove")
+				return err
+			}
+			return nil
+		default:
+			return fmt.Errorf("unexpected network type %v", netType)
 		}
 		return nil
-	default:
-		return fmt.Errorf("unexpected network type %v", netType)
-	}
-	return nil
+	})
 }