> From: Mark Lehrer <lehrer@xxxxxxxxx> > Sent: Thursday, April 13, 2023 12:38 PM > > > Initiator is not net ns aware. > > Am I correct in my assessment that this could be a container jailbreak risk? We > aren't using containers, Unlikely. because container orchestration must need to give access to the nvme char/misc device to the container. And it should do it only when nvme initiator/target are net ns aware. > but we were shocked that RoCEv2 connections > magically worked through the physical function which was not in the netns > context. I do not understand this part. If you are in exclusive mode rdma devices must be in respective/appropriate net ns. It unlikely works, may be some misconfiguration. Hard to way without exact commands.
