Handle library usage and missing network namespace gracefully
This commit is contained in:
JY Tan
@@ -433,11 +433,17 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin
|
|||||||
// Skip Landlock wrapper if executable is in /tmp (test binaries are built there)
|
// Skip Landlock wrapper if executable is in /tmp (test binaries are built there)
|
||||||
// The wrapper won't work because --tmpfs /tmp hides the test binary
|
// The wrapper won't work because --tmpfs /tmp hides the test binary
|
||||||
executableInTmp := strings.HasPrefix(fenceExePath, "/tmp/")
|
executableInTmp := strings.HasPrefix(fenceExePath, "/tmp/")
|
||||||
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp
|
// Skip Landlock wrapper if fence is being used as a library (executable is not fence)
|
||||||
|
// The wrapper re-executes the binary with --landlock-apply, which only fence understands
|
||||||
|
executableIsFence := strings.Contains(filepath.Base(fenceExePath), "fence")
|
||||||
|
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp && executableIsFence
|
||||||
|
|
||||||
if opts.Debug && executableInTmp {
|
if opts.Debug && executableInTmp {
|
||||||
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (executable in /tmp, likely a test)\n")
|
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (executable in /tmp, likely a test)\n")
|
||||||
}
|
}
|
||||||
|
if opts.Debug && !executableIsFence {
|
||||||
|
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (running as library, not fence CLI)\n")
|
||||||
|
}
|
||||||
|
|
||||||
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
||||||
|
|
||||||
|
|||||||
@@ -14,6 +14,7 @@ type LinuxFeatures struct {
|
|||||||
HasEBPF bool
|
HasEBPF bool
|
||||||
HasCapBPF bool
|
HasCapBPF bool
|
||||||
HasCapRoot bool
|
HasCapRoot bool
|
||||||
|
CanUnshareNet bool
|
||||||
KernelMajor int
|
KernelMajor int
|
||||||
KernelMinor int
|
KernelMinor int
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -76,7 +76,9 @@ func (m *Manager) Initialize() error {
|
|||||||
m.linuxBridge = bridge
|
m.linuxBridge = bridge
|
||||||
|
|
||||||
// Set up reverse bridge for exposed ports (inbound connections)
|
// Set up reverse bridge for exposed ports (inbound connections)
|
||||||
if len(m.exposedPorts) > 0 {
|
// Only needed when network namespace is available - otherwise they share the network
|
||||||
|
features := DetectLinuxFeatures()
|
||||||
|
if len(m.exposedPorts) > 0 && features.CanUnshareNet {
|
||||||
reverseBridge, err := NewReverseBridge(m.exposedPorts, m.debug)
|
reverseBridge, err := NewReverseBridge(m.exposedPorts, m.debug)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
m.linuxBridge.Cleanup()
|
m.linuxBridge.Cleanup()
|
||||||
@@ -85,6 +87,8 @@ func (m *Manager) Initialize() error {
|
|||||||
return fmt.Errorf("failed to initialize reverse bridge: %w", err)
|
return fmt.Errorf("failed to initialize reverse bridge: %w", err)
|
||||||
}
|
}
|
||||||
m.reverseBridge = reverseBridge
|
m.reverseBridge = reverseBridge
|
||||||
|
} else if len(m.exposedPorts) > 0 && m.debug {
|
||||||
|
m.logDebug("Skipping reverse bridge (no network namespace, ports accessible directly)")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user