36f520dc04
As explained in the comments, this patch lets the OCI runtime create the netns when userns are in use. This is needed because the netns needs to be owned by the userns (otherwise can't modify the IP, etc.). Before this patch, we are creating the netns and then starting the pod sandbox asking to join this netns. This can't never work with userns, as the userns needs to be created first for the netns ownership to be correct. One option would be to also create the userns in containerd, then create the netns. But this is painful (needs tricks with the go runtime, special care to write the mapping, etc.). So, we just let the OCI runtime create the userns and netns, that creates them with the proper ownership. As requested by Mike Brown, the current code when userns is not used is left unchanged. We can unify the cases (with and without userns) in a future release. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
88 lines
2.2 KiB
Go
88 lines
2.2 KiB
Go
/*
|
|
Copyright The containerd Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package netns
|
|
|
|
import (
|
|
"errors"
|
|
|
|
"github.com/Microsoft/hcsshim/hcn"
|
|
)
|
|
|
|
var errNotImplementedOnWindows = errors.New("not implemented on windows")
|
|
|
|
// NetNS holds network namespace for sandbox
|
|
type NetNS struct {
|
|
path string
|
|
}
|
|
|
|
// NewNetNS creates a network namespace for the sandbox.
|
|
func NewNetNS(baseDir string) (*NetNS, error) {
|
|
temp := hcn.HostComputeNamespace{}
|
|
hcnNamespace, err := temp.Create()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &NetNS{path: hcnNamespace.Id}, nil
|
|
}
|
|
|
|
// NewNetNS returns the netns from pid or a new netns if pid is 0.
|
|
func NewNetNSFromPID(baseDir string, pid uint32) (*NetNS, error) {
|
|
return nil, errNotImplementedOnWindows
|
|
}
|
|
|
|
// LoadNetNS loads existing network namespace.
|
|
func LoadNetNS(path string) *NetNS {
|
|
return &NetNS{path: path}
|
|
}
|
|
|
|
// Remove removes network namespace if it exists and not closed. Remove is idempotent,
|
|
// meaning it might be invoked multiple times and provides consistent result.
|
|
func (n *NetNS) Remove() error {
|
|
hcnNamespace, err := hcn.GetNamespaceByID(n.path)
|
|
if err != nil {
|
|
if hcn.IsNotFoundError(err) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
err = hcnNamespace.Delete()
|
|
if err == nil || hcn.IsNotFoundError(err) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Closed checks whether the network namespace has been closed.
|
|
func (n *NetNS) Closed() (bool, error) {
|
|
_, err := hcn.GetNamespaceByID(n.path)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
if hcn.IsNotFoundError(err) {
|
|
return true, nil
|
|
}
|
|
return false, err
|
|
}
|
|
|
|
// GetPath returns network namespace path for sandbox container
|
|
func (n *NetNS) GetPath() string {
|
|
return n.path
|
|
}
|
|
|
|
// NOTE: Do function is not supported.
|