Skip to content

fix(podman): harden sandbox callbacks#2111

Open
maxamillion wants to merge 1 commit into
NVIDIA:mainfrom
maxamillion:gateway_callback
Open

fix(podman): harden sandbox callbacks#2111
maxamillion wants to merge 1 commit into
NVIDIA:mainfrom
maxamillion:gateway_callback

Conversation

@maxamillion

@maxamillion maxamillion commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

Improve Podman diagnostics and preflight behavior when the OpenShell gateway runs inside a container. Containerized gateways now report actionable guidance for rootless Podman socket permission failures and avoid misleading subordinate-ID warnings based on the container's filesystem rather than the Podman host.

This PR no longer changes callback listener discovery or gateway network exposure; that design work is being handled separately.

Related Issue

Refs #1909

Changes

  • Detect when the gateway process is running inside a container.
  • Add --userns=keep-id guidance when a containerized gateway cannot access a mounted rootless Podman socket due to Permission denied.
  • Apply the enriched diagnostic to both Podman socket retry warnings and the final connection error.
  • Skip the local /etc/subuid and /etc/subgid preflight inside gateway containers, where those files do not describe the host running the Podman service.
  • Preserve existing diagnostics and preflight behavior for direct-host deployments, root, macOS, and unrelated connection errors.
  • Add focused unit coverage for the new diagnostic and preflight decisions.

Testing

  • mise run pre-commit passes (not run locally because mise is unavailable in the current environment)
  • cargo test -p openshell-driver-podman --lib
  • cargo fmt --all -- --check
  • cargo clippy -p openshell-driver-podman --all-targets -- -D warnings
  • Unit tests added/updated
  • E2E tests not applicable; this change only affects startup diagnostics and a host preflight warning

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs not applicable; no runtime boundaries, callback behavior, or configuration changed

@maxamillion
maxamillion requested review from a team, derekwaynecarr and mrunalp as code owners July 1, 2026 21:17
@copy-pr-bot

copy-pr-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@maxamillion

Copy link
Copy Markdown
Collaborator Author

/ok to test 74eb820

const VOLUME_PREFIX: &str = "openshell-sandbox-";

/// Secret name prefix for per-sandbox gateway JWTs.
const TOKEN_SECRET_PREFIX: &str = "openshell-token-";

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do secret names allow "namespacing"? (i.e. would something like token.openshell/ be valid)?

Comment on lines +81 to +101
pub gateway_tls_enabled: bool,
/// Whether gateway callbacks are protected by an auth mechanism.
#[serde(skip)]
pub gateway_callback_auth_enabled: bool,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I would assume that these gateway-specific properties are shared across other drivers. Does it make sense to embed them in a struct?

Comment on lines +990 to +991
uid: 0,
gid: 0,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UID=0 and GID=0 are the defaults. Also, does this need to be readable by any other users? (we only specified ro when this was handled as a mount).

@elezar

elezar commented Jul 3, 2026

Copy link
Copy Markdown
Member

@maxamillion, is the use of Podman secrets separate from the callback changes? If so, could we pull the secret changes into a separate PR? They independently fix the containerized gateway token-path problem, while the callback changes affect broader behavior—for example, automatically selecting a host interface and exposing the full gateway service on the additional listener. Separating them would make both changes easier to review and test.

@maxamillion

Copy link
Copy Markdown
Collaborator Author

@elezar yes, but that change is also related to fixes for issue ticket I referenced so I wasn't sure if I should break it out or leave them combined. I'm happy to split them if preferred.

@elezar

elezar commented Jul 3, 2026

Copy link
Copy Markdown
Member

@elezar yes, but that change is also related to fixes for issue ticket I referenced so I wasn't sure if I should break it out or leave them combined. I'm happy to split them if preferred.

I definitely have some thoughts on the callback changes, but don't want to block the secret changes on those, so splitting them out may be cleaner.

@maxamillion

Copy link
Copy Markdown
Collaborator Author

@elezar I split the secrets out and updated this PR #2156

@elezar

elezar commented Jul 10, 2026

Copy link
Copy Markdown
Member

I think the callback-listener portion needs further design work before this can merge.

It adds another in-process, driver-specific gateway hook mirroring Docker’s gateway_bind_addresses(): gateway bind and TLS state are injected into PodmanComputeConfig, and the concrete Podman driver determines an additional gateway listener. This cuts across the driver-alignment concerns discussed in #1952 and #2061 and has no equivalent for external drivers.

The containerized path also skips listener discovery while the documented deployment still publishes only to host loopback, so that part of #1909 remains unresolved.

Could we split out the independent diagnostics and preflight fixes? I’m working on the broader callback-listener design separately, so I’m not expecting you to resolve that design question in this PR.

Skip host subordinate-ID checks inside gateway containers and add actionable keep-id guidance for mounted rootless Podman socket permission failures.\n\nRefs NVIDIA#1909

Signed-off-by: Adam Miller <admiller@redhat.com>
@maxamillion

Copy link
Copy Markdown
Collaborator Author

@elezar I've limited this now to diagnostic info and preflight behavior, I'll work on a different PR that addresses the callback listener, interface binding, and RPM changes to properly resolve the remaining issues in #1909

@russellb

Copy link
Copy Markdown
Contributor

Agent-assisted code review. Reviewed at head 87005b3.

Thanks for tightening the scope and fixing the body — it matches the diff now. One blocker and a couple of follow-ups.

Blocking

  • PR title is stale. It still reads fix(podman): harden sandbox callbacks, but this diff has no callback/network/TLS changes. Squash-merge uses the PR title as the commit subject, so this inaccurate line would land on main. Suggest: fix(podman): diagnostics for containerized rootless socket + subuid preflight.

Should fix

  • Doc gap. crates/openshell-driver-podman/README.md:353-357 lists the check_subuid_range() skip conditions (macOS/root) but not the new container skip or the --userns=keep-id guidance. Per AGENTS.md, update the crate README for this user-facing behavior change.
  • #1909 scope. This fully closes only the subuid false-positive and adds guidance (not a fix) for keep-id. Refs #1909 is correct — please keep it (not Fixes). A body line noting which root cause is actually resolved would help.

Nit

  • enrich_socket_connection_error matches on the "Permission denied" substring. That's the right call here (the io::Error kind is already flattened to a String in client.rs:281, so ErrorKind::PermissionDenied isn't available without threading it through PodmanApiError). Worth a one-line comment so it isn't "fixed" naively later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants