executor: run exec commands in netns if set

2026-01-06 10:25:42 +03:00 · 2019-09-30 11:50:22 -04:00
parent c36fe98198
commit 2f16eb9640
5 changed files with 32 additions and 28 deletions
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@@ -15,7 +15,6 @@ import (
 	"time"

 	"github.com/armon/circbuf"
-	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/hashicorp/consul-template/signals"
 	hclog "github.com/hashicorp/go-hclog"
 	multierror "github.com/hashicorp/go-multierror"
@@ -184,23 +183,9 @@ func (l *LibcontainerExecutor) Launch(command *ExecCommand) (*ProcessState, erro
 	l.systemCpuStats = stats.NewCpuStats()

 	// Starts the task
-	if command.NetworkIsolation != nil && command.NetworkIsolation.Path != "" {
-		netns, err := ns.GetNS(command.NetworkIsolation.Path)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get ns %s: %v", command.NetworkIsolation.Path, err)
-		}
-
-		// Start the container in the network namespace
-		err = netns.Do(func(ns.NetNS) error { return container.Run(process) })
-		if err != nil {
-			container.Destroy()
-			return nil, err
-		}
-	} else {
-		if err := container.Run(process); err != nil {
-			container.Destroy()
-			return nil, err
-		}
+	if err := container.Run(process); err != nil {
+		container.Destroy()
+		return nil, err
 	}

 	pid, err := process.Pid()
@@ -622,6 +607,13 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		{Type: lconfigs.NEWNS},
 	}

+	if command.NetworkIsolation != nil {
+		cfg.Namespaces = append(cfg.Namespaces, lconfigs.Namespace{
+			Type: lconfigs.NEWNET,
+			Path: command.NetworkIsolation.Path,
+		})
+	}
+
 	// paths to mask using a bind mount to /dev/null to prevent reading
 	cfg.MaskPaths = []string{
 		"/proc/kcore",