github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #4973 from lorenz/move-netns-into-statedir

Browse Source 
Allow moving netns directory into StateDir
This commit is contained in:
Phil Estes 2021-02-10 13:08:50 -05:00 committed by GitHub
commit 2adb2ea64c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/cri/config.md
View File

@ -59,6 +59,11 @@ version = 2
# ReadOnlyRootFilesystem since containers won't silently mount a temporary volume. # ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
ignore_image_defined_volumes = false ignore_image_defined_volumes = false
# netns_mounts_under_state_dir places all mounts for network namespaces under StateDir/netns
# instead of being placed under the hardcoded directory /var/run/netns. Changing this setting
# requires that all containers are deleted.
netns_mounts_under_state_dir = false
# 'plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming' contains a x509 valid key pair to stream with tls. # 'plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming' contains a x509 valid key pair to stream with tls.
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
# tls_cert_file is the filepath to the certificate paired with the "tls_key_file" # tls_cert_file is the filepath to the certificate paired with the "tls_key_file"

4
pkg/cri/config/config.go
View File

@ -253,6 +253,10 @@ type PluginConfig struct {
// isolation, security and early detection of issues in the mount configuration when using // isolation, security and early detection of issues in the mount configuration when using
// ReadOnlyRootFilesystem since containers won't silently mount a temporary volume. // ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"` IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"`
// NetNSMountsUnderStateDir places all mounts for network namespaces under StateDir/netns instead
// of being placed under the hardcoded directory /var/run/netns. Changing this setting requires
// that all containers are deleted.
NetNSMountsUnderStateDir bool `toml:"netns_mounts_under_state_dir" json:"netnsMountsUnderStateDir"`
} }
// X509KeyPairStreaming contains the x509 configuration for streaming // X509KeyPairStreaming contains the x509 configuration for streaming

7
pkg/cri/server/sandbox_run.go
View File

@ -19,6 +19,7 @@ package server
import ( import (
"encoding/json" "encoding/json"
"math" "math"
"path/filepath"
goruntime "runtime" goruntime "runtime"
"strings" "strings"
@ -120,7 +121,11 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
// handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network // handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network
// namespaces. If the pod is in host network namespace then both are empty and should not // namespaces. If the pod is in host network namespace then both are empty and should not
// be used. // be used.
sandbox.NetNS, err = netns.NewNetNS() var netnsMountDir string = "/var/run/netns"
if c.config.NetNSMountsUnderStateDir {
netnsMountDir = filepath.Join(c.config.StateDir, "netns")
}
sandbox.NetNS, err = netns.NewNetNS(netnsMountDir)
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "failed to create network namespace for sandbox %q", id) return nil, errors.Wrapf(err, "failed to create network namespace for sandbox %q", id)
} }

12
pkg/netns/netns_linux.go
View File

@ -46,14 +46,12 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
const nsRunDir = "/var/run/netns"
// Some of the following functions are migrated from // Some of the following functions are migrated from
// https://github.com/containernetworking/plugins/blob/master/pkg/testutils/netns_linux.go // https://github.com/containernetworking/plugins/blob/master/pkg/testutils/netns_linux.go
// newNS creates a new persistent (bind-mounted) network namespace and returns the // newNS creates a new persistent (bind-mounted) network namespace and returns the
// path to the network namespace. // path to the network namespace.
func newNS() (nsPath string, err error) { func newNS(baseDir string) (nsPath string, err error) {
b := make([]byte, 16) b := make([]byte, 16)
if _, err := rand.Reader.Read(b); err != nil { if _, err := rand.Reader.Read(b); err != nil {
return "", errors.Wrap(err, "failed to generate random netns name") return "", errors.Wrap(err, "failed to generate random netns name")
@ -62,13 +60,13 @@ func newNS() (nsPath string, err error) {
// Create the directory for mounting network namespaces // Create the directory for mounting network namespaces
// This needs to be a shared mountpoint in case it is mounted in to // This needs to be a shared mountpoint in case it is mounted in to
// other namespaces (containers) // other namespaces (containers)
if err := os.MkdirAll(nsRunDir, 0755); err != nil { if err := os.MkdirAll(baseDir, 0755); err != nil {
return "", err return "", err
} }
// create an empty file at the mount point // create an empty file at the mount point
nsName := fmt.Sprintf("cni-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]) nsName := fmt.Sprintf("cni-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
nsPath = path.Join(nsRunDir, nsName) nsPath = path.Join(baseDir, nsName)
mountPointFd, err := os.Create(nsPath) mountPointFd, err := os.Create(nsPath)
if err != nil { if err != nil {
return "", err return "", err
@ -162,8 +160,8 @@ type NetNS struct {
} }
// NewNetNS creates a network namespace. // NewNetNS creates a network namespace.
func NewNetNS() (*NetNS, error) { func NewNetNS(baseDir string) (*NetNS, error) {
path, err := newNS() path, err := newNS(baseDir)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to setup netns") return nil, errors.Wrap(err, "failed to setup netns")
} }

2
pkg/netns/netns_other.go
View File

@ -30,7 +30,7 @@ type NetNS struct {
} }
// NewNetNS creates a network namespace. // NewNetNS creates a network namespace.
func NewNetNS() (*NetNS, error) { func NewNetNS(baseDir string) (*NetNS, error) {
return nil, errNotImplementedOnUnix return nil, errNotImplementedOnUnix
} }

2
pkg/netns/netns_windows.go
View File

@ -26,7 +26,7 @@ type NetNS struct {
} }
// NewNetNS creates a network namespace for the sandbox // NewNetNS creates a network namespace for the sandbox
func NewNetNS() (*NetNS, error) { func NewNetNS(baseDir string) (*NetNS, error) {
temp := hcn.HostComputeNamespace{} temp := hcn.HostComputeNamespace{}
hcnNamespace, err := temp.Create() hcnNamespace, err := temp.Create()
if err != nil { if err != nil {