You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use separate container for libvirt. This entails changing how we prepare the tap fd in vmwrapper because mounting network namespace directory can be problematic in some cases (e.g. because of one of /run or /var/run being a symbolic link). Basically tap fd must be prepared on Virtlet side and then sent over a Unix domain socket to vmwrapper process (the socket may reside on an emptyDir volume). With current version of Go this is somewhat complicated because the problem with switching namespaces inside Go process, so this will mean starting a subprocess that will prepare and send the file descriptor.
The text was updated successfully, but these errors were encountered:
From https://github.com/Mirantis/virtlet/blob/master/docs/design-proposals/vm-isolation.md#additional-security-measures
Use separate container for libvirt. This entails changing how we prepare the tap fd in vmwrapper because mounting network namespace directory can be problematic in some cases (e.g. because of one of /run or /var/run being a symbolic link). Basically tap fd must be prepared on Virtlet side and then sent over a Unix domain socket to vmwrapper process (the socket may reside on an emptyDir volume). With current version of Go this is somewhat complicated because the problem with switching namespaces inside Go process, so this will mean starting a subprocess that will prepare and send the file descriptor.
The text was updated successfully, but these errors were encountered: