Vouch request: craig-kindo

[craig-kindo]

What do you want to work on?

I want to fix the mount --make-shared /run/netns bug that blocks OpenShell from running on GKE. I'm open to discussions and directions about what tradeoffs we want to make.

Why this change?

The change I want to make is pretty intentionally small. I'm pretty sure the best possible thing is to expand the test suite to test full k8s instead of just k3s, because this bug doesn't show up in k3s. But that's a lot more that I don't want to bite off. So I'm just changing one .rs file instead.

The OpenShell supervisor needs to create a network namespace. It shells out to the ip tool to do this, and that tool uses a linux special-purpose filesystem to actually create the kernel structure. This is the /run/netns filesystem that OpenShell calls mount --make-shared on, so the ip tool can create submounts which are shared with the host namespace and therefore accepted by the kernel as commands to create network namespaces. This specific command fails because the k8s yaml ceremony is not observed for mount propogation.

There's two possible fixes for this: either (1) implement the k8s yaml ceremony of setting that as a bidirectionally propogating mountpoint and the container as priviledged (big nono), which is needed for that mount option, or (2) use a direct kernel syscall to set up the mount namespace instead of shelling out to ip. I obviously favor option (2) because it does not require a priviledged container, which would tear down many of the sandboxing guarantees we want.

Getting this bug fixed matters to me because it blocks the functionality of OpenShell on any of our infra that's not our developer laptops. We use k3s on laptops but full k8s in the rest of our infra.

Checklist

• I wrote this request myself (not AI-generated)
• I have read CONTRIBUTING.md