OCPBUGS-83562: telco-ran: Pre-create /run/netns bindmount so it propagates to the container-mount-namespace#762
Conversation
openshift-ci
Bot
added
the
approved
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughAdds an ExecStartPost to container-mount-namespace.service (template, master, worker, and kube-compare variants) that creates then deletes a temporary network namespace ( ChangesContainer mount-namespace service updates
🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
lack
changed the title
|
@lack: This pull request references Jira Issue OCPBUGS-83562, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.service`:
- Around line 22-23: The ExecStartPost command currently uses "mount
--make-shared" but should use recursive shared propagation to match ip netns add
behavior; update the second ExecStartPost line (the bash -c that checks
mountpoint /run/netns and performs mount --bind /run/netns /run/netns && mount
--make-shared /run/netns ...) to use mount --make-rshared /run/netns instead of
--make-shared so the MS_SHARED|MS_REC semantics are applied.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: d6114fea-f663-46cc-9ce9-1fbe98e78272
📒 Files selected for processing (3)
telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.servicetelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-master.yamltelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-worker.yaml
lack
force-pushed
the
OCPBUGS-83562_precreate_netns
branch
from
ccbf6d5 to
d466297
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@telco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-master.yaml`:
- Line 48: The ExecStartPost command currently does an unconditional umount
/run/netns on error which can unmount a mount created by another actor; change
the shell logic so you only unmount if your own bind mount actually succeeded.
Concretely, update the ExecStartPost line (the bash -c invoking mount --rbind
/run/netns && mount --make-rshared /run/netns) to atomically detect success
(e.g., capture the exit status of mount --rbind, or check for a mount entry you
just created with findmnt/mountpoint) and perform umount /run/netns only when
that check confirms the bind was created by this command; do not perform an
unconditional umount in the failure branch.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 878fd31a-8dcc-493f-9d46-5df581f327a2
📒 Files selected for processing (3)
telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.servicetelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-master.yamltelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-worker.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
- telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.service
- telco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-worker.yaml
|
@lack: This pull request references Jira Issue OCPBUGS-83562, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
lack
force-pushed
the
OCPBUGS-83562_precreate_netns
branch
2 times, most recently
from
92332bd to
de264ab
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.service`:
- Line 23: Change the ExecStartPost command so it succeeds if /run/netns is
already a mountpoint instead of failing when the temporary namespace exists;
replace the current ExecStartPost (which runs "ip netns add kubensmnt && ip
netns delete kubensmnt") with a guard that checks mountpoint -q /run/netns and
only performs the add/delete when needed, e.g. use ExecStartPost=bash -c
'mountpoint -q /run/netns || { ip netns add kubensmnt && ip netns delete
kubensmnt; }' (apply the same change to the other four matching locations).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 4081ace4-716f-4f8a-b08a-87f1e5c38c6f
📒 Files selected for processing (5)
telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/container-mount-namespace.servicetelco-ran/configuration/kube-compare-reference/machine-config/kubelet-configuration-and-container-mount-hiding/01-container-mount-ns-and-kubelet-conf-master.yamltelco-ran/configuration/kube-compare-reference/machine-config/kubelet-configuration-and-container-mount-hiding/01-container-mount-ns-and-kubelet-conf-worker.yamltelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-master.yamltelco-ran/configuration/source-crs/extra-manifest/01-container-mount-ns-and-kubelet-conf-worker.yaml
lack
force-pushed
the
OCPBUGS-83562_precreate_netns
branch
from
de264ab to
c183ca4
Compare
|
/cherry-pick release-4.22 |
|
@lack: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
lack
force-pushed
the
OCPBUGS-83562_precreate_netns
branch
from
c183ca4 to
3a2a602
Compare
…ntainer-mount-namespace This closes a race between running `ip netns add` inside the container-mount-namespace namespace and running it outside of the container-mount-namespace namespace. The cause of the race is that the /run/netns/ bindmount created by `ip netns add` is created with rshared properties, so the external call would shadow the internal call any time the internal call occurs first. Forcing the call to happen on the outside ensures any subsequent internal calls will simply reuse the existing bindmount (as intended). Signed-off-by: Jim Ramsay <jramsay@redhat.com>
lack
force-pushed
the
OCPBUGS-83562_precreate_netns
branch
from
3a2a602 to
0887173
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: imiller0, lack The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@lack: Jira Issue OCPBUGS-83562: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged: All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-83562 has not been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@lack: new pull request created: #763 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
This closes a race between running
ip netns addinside thecontainer-mount-namespace namespace and running it outside of the
container-mount-namespace namespace.
The cause of the race is that the /run/netns/ bindmount created by
ip netns addis created with rshared properties, so the external callwould shadow the internal call any time the internal call occurs first.
Forcing the call to happen on the outside ensures any subsequent
internal calls will simply reuse the existing bindmount (as intended).
Signed-off-by: Jim Ramsay jramsay@redhat.com
Note: Incorporates changes from upstream containers/kubensmnt#13 and containers/kubensmnt#14