Prefer bubblewrap for network isolation #473
Conversation
There was a problem hiding this comment.
This looks OK for now. We should consider if this should be configurable by the user somehow, but this at least lets us move forward.
Edit: nvm. I tested it and it seems to work -- see comments below about adding --privileged to docker and fixing the --unshare-net option.
|
Let's try this and see if it works better. OOC do you test if it solved the MPI issue in a container? |
Bubblewrap is another tool for unsharing namespaces. It sets up a network namespace with a disconnected loopback. Fixes: python-wheel-build#472 Signed-off-by: Christian Heimes <[email protected]>
$ bwrap --unshare-net --dev-bind / / -- /usr/lib64/openmpi/bin/mpicc -showme:compile
-I/usr/include/openmpi-x86_64
$ unshare -rn -- /usr/lib64/openmpi/bin/mpicc -showme:compile
[hostname:1498104] opal_ifinit: unable to find network interfaces.
-I/usr/include/openmpi-x86_64 |
| if sys.platform == "linux": | ||
| NETWORK_ISOLATION = ["unshare", "--net", "--map-current-user"] | ||
| NETWORK_ISOLATION = [ | ||
| ["bwrap", "--unshare-network", "--dev-bind", "/", "/", "--"], |
There was a problem hiding this comment.
--unshare-network doesn't appear to be valid? Is this supposed to be --unshare-net ?
There was a problem hiding this comment.
FYI: this needs docker to specify --privileged in builder's bin/boostrap.sh o/w you get an error
bwrap: Creating new namespace failed: Operation not permitted
|
|
Bubblewrap is another tool for unsharing namespaces. It sets up a network namespace with a disconnected loopback.
Fixes: #472