init: Set up a dummy network interface with TSI#618
init: Set up a dummy network interface with TSI#618mz-pdm wants to merge 1 commit intocontainers:mainfrom
Conversation
mz-pdm
requested review from
MatiasVara,
dorindabassey,
jakecorrenti,
mtjhrc,
slp and
tylerfanelli
as code owners
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to detect the 'tsi_hijack' kernel parameter and conditionally enable a dummy network interface. The review identified a critical bug in the command-line parsing logic where the option would be ignored if it appeared at the end of the file or included a value assignment. Additionally, the reviewer noted that the manual manipulation of sockaddr fields for IP and netmask configuration is brittle and recommended using standard structures for better maintainability.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
d58af6d to
6f16077
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request adds functionality to detect a "tsi_hijack" boot option and configure a "dummy0" network interface accordingly. Key changes include a command-line parser and interface setup logic using ioctl. Review feedback recommends using snprintf for better readability and suggests a more robust way to set interface flags by preserving existing ones instead of overwriting them.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
6f16077 to
b9c1a3b
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to enable a dummy network interface (dummy0) if a specific kernel command-line option, tsi_hijack, is detected. The implementation includes a parser for /proc/cmdline and logic to configure the interface's IP and flags. Review feedback suggests improving the robustness of the command-line parsing by using isspace() from <ctype.h> and recommends zero-initializing the ifreq structure to prevent potential issues with ioctl calls.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
b9c1a3b to
bc3b065
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to enable a dummy network interface (dummy0) based on the presence of the tsi_hijack flag in /proc/cmdline. The review feedback focuses on improving the robustness of the command-line parser by handling additional delimiters like newlines and equals signs, and ensuring internal helper functions are declared static. There are also several corrections regarding error handling, specifically replacing perror with printf where errno is not set, and a recommendation to zero-initialize the ifreq structure to prevent passing uninitialized stack data to the kernel.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
bc3b065 to
48bf392
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request adds logic to detect a specific boot option in /proc/cmdline and accordingly configure a dummy network interface. The review feedback recommends enhancing code readability and maintainability by using fscanf for parsing and implementing a centralized error-handling pattern with goto.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
48bf392 to
dd4bc86
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to conditionally enable a dummy network interface ('dummy0') based on the presence of the 'tsi_hijack' flag in the kernel command line. It includes a helper to parse '/proc/cmdline' and logic to configure the interface using ioctl. A review comment correctly identifies the need to zero-initialize the 'ifreq' structure to avoid potential issues with garbage data in network configuration calls.
|
Apart from the issue highlighted by Gemini, the code LGTM. I wonder though if, to avoid potentially confusing apps, won't be better using a more conventional netmask. |
Added a comment to the last one, if this is the one you mean.
It'd be cleaner. But then I wonder whether apps could have problem that there is no default route. When I add one, network starts being very slow, it's apparently not fine with TSI. The given nix use case works with both 0.0.0.0 and 255.0.0.0 masks (without the default route) for me. I'm not sure which one to pick in the end result. We can perhaps try any of them and see if there is some use case still not working reported? |
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
dd4bc86 to
a1f2bfa
Compare
|
I changed the netmask to /8, we can use a different one in future if there is trouble. |
|
/gemini review |
|
CI complaints from clang-format and clippy are about unrelated code -- updated versions of the checkers perhaps? |
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to conditionally enable a dummy network interface (dummy0) based on the presence of the tsi_hijack flag in the kernel command line. Feedback includes correcting the fread return value check and ensuring proper null-termination of the command line buffer, expanding the delimiters used for parsing the command line, and zero-initializing the ifreq structure to prevent potential ioctl failures.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
a1f2bfa to
9bef196
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces functionality to enable a dummy network interface if a specific boot option is detected in the kernel command line. The review feedback highlights the need for platform-specific guards to ensure compatibility with non-Linux systems, improvements to the command-line parsing logic to handle newlines, the necessity of zero-initializing network structures to avoid undefined behavior, and a correction to the netmask configuration to match the intended logic.
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
9bef196 to
ca6f92a
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request adds logic to enable a dummy network interface on Linux if 'tsi_hijack' is specified in the kernel command line. It includes functions for parsing the command line and configuring the 'dummy0' interface. A review comment recommends zero-initializing the 'ifreq' structure to avoid passing uninitialized data to the kernel.
Some applications check for network availability by looking for a network device configured for Internet access. When TSI is used, there is no such device available by default, although Internet is accessible. Then those applications behave like when the connection is not available. Let's solve this problem by setting up a dummy network interface. The dummy interface is automatically created when CONFIG_DUMMY is enabled in kernel or the corresponding kernel module is loaded. This means a sufficiently recent libkrunfw version is needed (see containers/libkrunfw#116). The dummy interface is initially down. In order to make the applications happy, the interface must be brought up and set up for Internet connections. This is ensured by setting the IP address to 10.0.0.1/8 (an arbitrary choice without any special reason) in init.c if TSI is enabled. The netmask is selected to be sane; it doesn't cover the whole IP range and we cannot set a default route because then TSI has problems, but it's OK for the tested application. We can change it if some application has trouble with that. TSI availability is determined by checking the presence of `tsi_hijack' in the kernel command line, before `--' delimiter if present. The dummy interface simply swallows all packets. But it is effectively bypassed by TSI for practical purposes. Things like ICMP don't work in either case. When the kernel support is not available, the device is not present and init.c cannot set it up. We skip the configuration silently in such a case, to not spam users with errors if they use older libkrunfw or custom kernels. Fixes: containers#576 Signed-off-by: Milan Zamazal <mzamazal@redhat.com>
mz-pdm
force-pushed
the
pdm-dummy-interface
branch
from
ca6f92a to
a5bbf6c
Compare
3 participants
Some applications check for network availability by looking for a network device configured for Internet access. When TSI is used, there is no such device available by default, although Internet is accessible. Then those applications behave like when the connection is not available.
Let's solve this problem by setting up a dummy network interface. The dummy interface is automatically created when CONFIG_DUMMY is enabled in kernel or the corresponding kernel module is loaded. This means a sufficiently recent libkrunfw version is needed (see containers/libkrunfw#116). The dummy interface is initially down.
In order to make the applications happy, the interface must be brought up and set up for Internet connections. This is ensured by setting the IP address to 10.0.0.1/8 (an arbitrary choice without any special reason) in init.c if TSI is enabled. The netmask is selected to be sane; it doesn't cover the whole IP range and we cannot set a default route because then TSI has problems, but it's OK for the tested application. We can change it if some application has trouble with that.
TSI availability is determined by checking the presence of
tsi_hijack' in the kernel command line, before--' delimiter if present.The dummy interface simply swallows all packets. But it is effectively bypassed by TSI for practical purposes. Things like ICMP don't work in either case.
When the kernel support is not available, the device is not present and init.c cannot set it up. We skip the configuration silently in such a case, to not spam users with errors if they use older libkrunfw or custom kernels.
Fixes: #576