opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

network: allow slirp4netns mode also for root containers

Browse Source 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2018-11-26 21:31:06 +01:00
parent 4203df69ac
commit 95f22a2ca0
9 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/podman-create.1.md
View File

@ -426,7 +426,8 @@ Set the Network mode for the container
'container:<name|id>': reuse another container's network stack 'container:<name|id>': reuse another container's network stack
'host': use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 'host': use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
'<network-name>|<network-id>': connect to a user-defined network '<network-name>|<network-id>': connect to a user-defined network
'ns:<path>' path to a network namespace to join 'ns:<path>': path to a network namespace to join
'slirp4netns': use slirp4netns to create a user network stack. This is the default for rootless containers
**--network-alias**=[] **--network-alias**=[]

3
docs/podman-run.1.md
View File

@ -408,7 +408,8 @@ Set the Network mode for the container:
- `container:<name|id>`: reuse another container's network stack - `container:<name|id>`: reuse another container's network stack
- `host`: use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - `host`: use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
- `<network-name>|<network-id>`: connect to a user-defined network - `<network-name>|<network-id>`: connect to a user-defined network
- `ns:<path>` path to a network namespace to join - `ns:<path>`: path to a network namespace to join
- `slirp4netns`: use slirp4netns to create a user network stack. This is the default for rootless containers
**--network-alias**=[] **--network-alias**=[]

3
libpod/container.go
View File

@ -9,6 +9,7 @@ import (
"github.com/containernetworking/cni/pkg/types" "github.com/containernetworking/cni/pkg/types"
cnitypes "github.com/containernetworking/cni/pkg/types/current" cnitypes "github.com/containernetworking/cni/pkg/types/current"
"github.com/containers/libpod/pkg/namespaces"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/cri-o/ocicni/pkg/ocicni" "github.com/cri-o/ocicni/pkg/ocicni"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
@ -296,6 +297,8 @@ type ContainerConfig struct {
HostAdd []string `json:"hostsAdd,omitempty"` HostAdd []string `json:"hostsAdd,omitempty"`
// Network names (CNI) to add container to. Empty to use default network. // Network names (CNI) to add container to. Empty to use default network.
Networks []string `json:"networks,omitempty"` Networks []string `json:"networks,omitempty"`
// Network mode specified for the default network.
NetMode namespaces.NetworkMode `json:"networkMode,omitempty"`
// Image Config // Image Config

13
libpod/container_easyjson.go
View File

@ -8,6 +8,7 @@ import (
json "encoding/json" json "encoding/json"
types "github.com/containernetworking/cni/pkg/types" types "github.com/containernetworking/cni/pkg/types"
current "github.com/containernetworking/cni/pkg/types/current" current "github.com/containernetworking/cni/pkg/types/current"
namespaces "github.com/containers/libpod/pkg/namespaces"
storage "github.com/containers/storage" storage "github.com/containers/storage"
idtools "github.com/containers/storage/pkg/idtools" idtools "github.com/containers/storage/pkg/idtools"
ocicni "github.com/cri-o/ocicni/pkg/ocicni" ocicni "github.com/cri-o/ocicni/pkg/ocicni"
@ -1550,6 +1551,8 @@ func easyjson1dbef17bDecodeGithubComContainersLibpodLibpod2(in *jlexer.Lexer, ou
} }
in.Delim(']') in.Delim(']')
} }
case "networkMode":
out.NetMode = namespaces.NetworkMode(in.String())
case "userVolumes": case "userVolumes":
if in.IsNull() { if in.IsNull() {
in.Skip() in.Skip()
@ -2177,6 +2180,16 @@ func easyjson1dbef17bEncodeGithubComContainersLibpodLibpod2(out *jwriter.Writer,
out.RawByte(']') out.RawByte(']')
} }
} }
if in.NetMode != "" {
const prefix string = ",\"networkMode\":"
if first {
first = false
out.RawString(prefix[1:])
} else {
out.RawString(prefix)
}
out.String(string(in.NetMode))
}
if len(in.UserVolumes) != 0 { if len(in.UserVolumes) != 0 {
const prefix string = ",\"userVolumes\":" const prefix string = ",\"userVolumes\":"
if first { if first {

2
libpod/container_internal.go
View File

@ -586,7 +586,7 @@ func (c *Container) completeNetworkSetup() error {
if err := c.syncContainer(); err != nil { if err := c.syncContainer(); err != nil {
return err return err
} }
if rootless.IsRootless() { if c.config.NetMode == "slirp4netns" {
return c.runtime.setupRootlessNetNS(c) return c.runtime.setupRootlessNetNS(c)
} }
return c.runtime.setupNetNS(c) return c.runtime.setupNetNS(c)

2
libpod/oci.go
View File

@ -329,7 +329,7 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
cmd.ExtraFiles = append(cmd.ExtraFiles, ports...) cmd.ExtraFiles = append(cmd.ExtraFiles, ports...)
} }
if rootless.IsRootless() { if ctr.config.NetMode.IsSlirp4netns() {
ctr.rootlessSlirpSyncR, ctr.rootlessSlirpSyncW, err = os.Pipe() ctr.rootlessSlirpSyncR, ctr.rootlessSlirpSyncW, err = os.Pipe()
if err != nil { if err != nil {
return errors.Wrapf(err, "failed to create rootless network sync pipe") return errors.Wrapf(err, "failed to create rootless network sync pipe")

4
libpod/options.go
View File

@ -7,6 +7,7 @@ import (
"regexp" "regexp"
"syscall" "syscall"
"github.com/containers/libpod/pkg/namespaces"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/idtools"
"github.com/cri-o/ocicni/pkg/ocicni" "github.com/cri-o/ocicni/pkg/ocicni"
@ -817,7 +818,7 @@ func WithDependencyCtrs(ctrs []*Container) CtrCreateOption {
// namespace with a minimal configuration. // namespace with a minimal configuration.
// An optional array of port mappings can be provided. // An optional array of port mappings can be provided.
// Conflicts with WithNetNSFrom(). // Conflicts with WithNetNSFrom().
func WithNetNS(portMappings []ocicni.PortMapping, postConfigureNetNS bool, networks []string) CtrCreateOption { func WithNetNS(portMappings []ocicni.PortMapping, postConfigureNetNS bool, netmode string, networks []string) CtrCreateOption {
return func(ctr *Container) error { return func(ctr *Container) error {
if ctr.valid { if ctr.valid {
return ErrCtrFinalized return ErrCtrFinalized
@ -831,6 +832,7 @@ func WithNetNS(portMappings []ocicni.PortMapping, postConfigureNetNS bool, netwo
ctr.config.CreateNetNS = true ctr.config.CreateNetNS = true
ctr.config.PortMappings = portMappings ctr.config.PortMappings = portMappings
ctr.config.Networks = networks ctr.config.Networks = networks
ctr.config.NetMode = namespaces.NetworkMode(netmode)
return nil return nil
} }

6
libpod/runtime_pod_infra_linux.go
View File

@ -50,7 +50,11 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, imgID
// Since user namespace sharing is not implemented, we only need to check if it's rootless // Since user namespace sharing is not implemented, we only need to check if it's rootless
networks := make([]string, 0) networks := make([]string, 0)
options = append(options, WithNetNS(p.config.InfraContainer.PortBindings, isRootless, networks)) netmode := "bridge"
if isRootless {
netmode = "slirp4netns"
}
options = append(options, WithNetNS(p.config.InfraContainer.PortBindings, isRootless, netmode, networks))
return r.newContainer(ctx, g.Config, options...) return r.newContainer(ctx, g.Config, options...)
} }

4
pkg/spec/createconfig.go
View File

@ -391,11 +391,11 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib
options = append(options, libpod.WithNetNSFrom(connectedCtr)) options = append(options, libpod.WithNetNSFrom(connectedCtr))
} else if !c.NetMode.IsHost() && !c.NetMode.IsNone() { } else if !c.NetMode.IsHost() && !c.NetMode.IsNone() {
isRootless := rootless.IsRootless() isRootless := rootless.IsRootless()
postConfigureNetNS := isRootless || (len(c.IDMappings.UIDMap) > 0 || len(c.IDMappings.GIDMap) > 0) && !c.UsernsMode.IsHost() postConfigureNetNS := c.NetMode.IsSlirp4netns() || (len(c.IDMappings.UIDMap) > 0 || len(c.IDMappings.GIDMap) > 0) && !c.UsernsMode.IsHost()
if isRootless && len(portBindings) > 0 { if isRootless && len(portBindings) > 0 {
return nil, errors.New("port bindings are not yet supported by rootless containers") return nil, errors.New("port bindings are not yet supported by rootless containers")
} }
options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS, networks)) options = append(options, libpod.WithNetNS(portBindings, postConfigureNetNS, string(c.NetMode), networks))
} }
if c.PidMode.IsContainer() { if c.PidMode.IsContainer() {