Weave with gVisor breaks due to missing /proc/sys/net for arp params

[oliviabarrick]

I'm trying to run Weave with gVisor as the runtime and it seems to break weave net:

  Warning  FailedCreatePodSandBox  8m                kubelet, do-worker-kubeadm-0  Failed create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_demo-deployment-canary-5cbcccd6db-6d9z8_default_37c32faa-a405-11e8-a1cc-72fccbf74132_0(950d0590a9ad21958b67a23f0d23cd299b2660b7fbf2f204892b7b56f03da7f9): initializing veth: error setting up interface: open /proc/sys/net/ipv4/neigh/eth0/base_reachable_time: no such file or directory

Any ideas how to work around this?

All pods in my cluster are able to start unless they are run using gVisor by adding the annotation:

        io.kubernetes.cri-o.TrustedSandbox: "false"

[oliviabarrick]

It seems like they don't implement /proc/sys/net: https://github.com/google/gvisor/blob/master/pkg/sentry/fs/proc/README.md

[brb]

@justinbarrick Thanks for trying to run Weave Net with gVisor and opening the issue.

/proc/sys/net is used by https://github.com/weaveworks/weave/blob/master/net/arp.go#L13. Weave Net can function without configuring the ARP cache params, but currently there is no flag to disable it.

You could try to comment out the body of the function and create the relevant Weave Net images by running make.

[sfxworks]

I just ran into this with runsc and crio.

[maxmcd]

I tried figuring this out and ran into a different issue.
This call to netns.GetFromPath returns "no such file or directory" for (eg) "/proc/24020/ns/net"
https://github.com/weaveworks/weave/blob/0c4659c3/net/veth.go#L115

Is it possible to hook into the namespace created by the gvisor container if it's not present on the host?