194 Commits

Author SHA1 Message Date
4093b2c011 Add codespell to validate spelling mistakes in code.
Fix all errors found by codespell

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-01-11 06:32:19 -05:00
556cc1fadf rootlessport: honor ctr.runtime.config.TmpDir
Previously, rootlessport was using /var/tmp as the tmp dir.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-09 14:06:33 +09:00
da7595a69f rootless: use RootlessKit port forwarder
RootlessKit port forwarder has a lot of advantages over the slirp4netns port forwarder:

* Very high throughput.
  Benchmark result on Travis: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps
  (https://travis-ci.org/rootless-containers/rootlesskit/builds/597056377)

* Connections from the host are treated as 127.0.0.1 rather than 10.0.2.2 in the namespace.
  No UDP issue (#4586)

* No tcp_rmem issue (#4537)

* Probably works with IPv6. Even if not, it is trivial to support IPv6.  (#4311)

* Easily extensible for future support of SCTP

* Easily extensible for future support of `lxc-user-nic` SUID network

RootlessKit port forwarder has been already adopted as the default port forwarder by Rootless Docker/Moby,
and no issue has been reported AFAIK.

As the port forwarder is imported as a Go package, no `rootlesskit` binary is required for Podman.

Fix #4586
May-fix #4559
Fix #4537
May-fix #4311

See https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/pkg/port/builtin/builtin.go

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-08 19:35:17 +09:00
01ae532a89 Allow --ip and --mac to be set when joining a CNI net
These only conflict when joining more than one network. We can
still set a single CNI network and set a static IP and/or static
MAC.

Fixes #4500

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-11-26 09:56:14 -05:00
2497b6c77b podman: add support for specifying MAC
I basically copied and adapted the statements for setting IP.

Closes #1136

Signed-off-by: Jakub Filak <jakub.filak@sap.com>
2019-11-06 16:22:19 +01:00
455f5b7616 vendor: updated ocicni for MAC address
`go get github.com/cri-o/ocicni@deac903fd99b6c52d781c9f42b8db3af7dcfd00a`

I had to fix compilation errors in libpod/networking_linux.go

---

ocicni.Networks has changed from string to the structure NetAttachment
with the member Name (the former string value) and the member Ifname
(optional).

I don't think we can make use of Ifname here, so I just map the array of
structures to array of strings - e.g. dropping Ifname.

---

The function GetPodNetworkStatus no longer returns Result but it returns
the wrapper structure NetResult which contains the former Result plus
NetAttachment (Network name and Interface name).

Again, I don't think we can make use of that information here, so I
just added `.Result` to fix the build.

---

Issue: #1136

Signed-off-by: Jakub Filak <jakub.filak@sap.com>
2019-11-06 16:22:18 +01:00
31a5827856 slirp4netns: fix timeout
the pidWaitTimeout is already a Duration so do not multiply it again
by time.Millisecond.

Closes: https://github.com/containers/libpod/issues/4344

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-04 17:06:52 +01:00
795460f7b0 libpod: if slirp4netns fails, return its output
read the slirp4netns stderr and propagate it in the error when the
process fails.

Replace: https://github.com/containers/libpod/pull/4338

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-10-29 07:13:50 +01:00
f10f9bc58f rootless v2 cannot collect network stats
network statistics cannot be collected for rootless network devices with
the current implementation.  for now, we return nil so that stats will
at least for users.

Fixes:#4268

Signed-off-by: baude <bbaude@redhat.com>
2019-10-15 14:09:41 -05:00
6f630bc09b Move OCI runtime implementation behind an interface
For future work, we need multiple implementations of the OCI
runtime, not just a Conmon-wrapped runtime matching the runc CLI.

As part of this, do some refactoring on the interface for exec
(move to a struct, not a massive list of arguments). Also, add
'all' support to Kill and Stop (supported by runc and used a bit
internally for removing containers).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-10-10 10:19:32 -04:00
dc71a9ebd0 network: add workaround for slirp4netns --enable-sandbox issue
add a workaround for https://github.com/rootless-containers/slirp4netns/pull/153

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-10-01 14:49:24 +02:00
5813c8246e rootless: Rearrange setup of rootless containers
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes #2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
2019-09-24 11:01:28 +02:00
7c3428de26 networking: use --enable-sandbox if available
if slirp4netns supports sandboxing, enable it.

It automatically creates a new mount namespace where slirp4netns will
run and have limited access to the host resources.

It needs slirp4netns 0.4.1.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-16 16:42:11 +02:00
99983e20bb networking: use firewall plugin
drop the pkg/firewall module and start using the firewall CNI plugin.
It requires an updated package for CNI plugins.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-08-19 16:16:06 +02:00
97b84dedf3 Revert "rootless: Rearrange setup of rootless containers"
This reverts commit 80dcd4bebcdc8e280f6b43228561d09c194c328b.

Signed-off-by: baude <bbaude@redhat.com>
2019-08-06 09:51:38 -05:00
80dcd4bebc rootless: Rearrange setup of rootless containers
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes #2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
2019-07-30 23:28:52 +00:00
a78c885397 golangci-lint pass number 2
clean up and prepare to migrate to the golangci-linter

Signed-off-by: baude <bbaude@redhat.com>
2019-07-11 09:13:06 -05:00
e053e0e05e first pass of corrections for golangci-lint
Signed-off-by: baude <bbaude@redhat.com>
2019-07-10 15:52:17 -05:00
1d36501f96 code cleanup
clean up code identified as problematic by golands inspection

Signed-off-by: baude <bbaude@redhat.com>
2019-07-08 09:18:11 -05:00
143ed8b826 Vendor latest OCICNI version
This is needed for dual stack IPv6 support within CRI-O. Because the API
changed within OCICNI, we have to adapt the internal linux networking as
well.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-07-03 11:35:44 +02:00
92bae8d308 Begin adding support for multiple OCI runtimes
Allow Podman containers to request to use a specific OCI runtime
if multiple runtimes are configured. This is the first step to
properly supporting containers in a multi-runtime environment.

The biggest changes are that all OCI runtimes are now initialized
when Podman creates its runtime, and containers now use the
runtime requested in their configuration (instead of always the
default runtime).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-06-19 17:08:43 -04:00
1be345bd9d Begin to break up pkg/inspect
Let's put inspect structs where they're actually being used. We
originally made pkg/inspect to solve circular import issues.
There are no more circular import issues.

Image structs remain for now, I'm focusing on container inspect.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-06-03 15:54:53 -04:00
04aa0d65b0 network: raise a clearer error when using CNI
print a clearer error message when an unprivileged user attempts to
create a network using CNI.

Closes: https://github.com/containers/libpod/issues/3118

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-05-14 15:37:47 +02:00
a0c35c394b Integration test tweaks
Wait for more than 1 second on podman info to complete.  Also, add
clarification to why slirp fails.

Signed-off-by: baude <bbaude@redhat.com>
2019-03-15 13:41:01 -05:00
bd4441b0d3 rootless: fix CI regression when using slirp4netns
Older versions of slirp4netns do not have the --disable-host-loopback
flag.

Remove the check once we are sure the updated version is available
everywhere.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-14 19:27:44 +01:00
473f28aa0d slirp4netns: use --disable-host-loopback
Closes: https://github.com/containers/libpod/issues/2642

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-14 13:59:10 +01:00
ac37fc149e slirp4netns: set mtu to 65520
it improves significantly the performance of the slirp4netns network:

777bdcccef (iperf3-netns---host)

Closes: https://github.com/containers/libpod/issues/1732

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-14 08:29:41 +01:00
e02393ba70 libpod: allow to configure path to the network-cmd binary
allow to configure the path to the network-cmd binary, either via an
option flag --network-cmd-path or through the libpod.conf
configuration file.

This is currently used to customize the path to the slirp4netns
binary.

Closes: https://github.com/containers/libpod/issues/2506

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-11 09:29:04 +01:00
f182946bef rootless: support port redirection from the host
add support for ports redirection from the host.

It needs slirp4netns v0.3.0-alpha.1.

Closes: https://github.com/containers/libpod/issues/2081

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-01-19 20:45:07 +01:00
2553dad766 Use existing interface to request IP address during restore
The initial implementation to request the same IP address for a
container during a restore was based on environment variables
influencing CNI.

With this commit the IP address selection switches to Podman's internal
static IP API.

This commit does a comment change in libpod/container_easyjson.go to
avoid unnecessary re-generation of libpod/container_easyjson.go during
build as this fails in CI. The reason for this is that make sees that
libpod/container_easyjson.go needs to be re-created. The commit,
however, only changes a part of libpod/container.go which is marked as
'ffjson: skip'.

Signed-off-by: Adrian Reber <areber@redhat.com>
2019-01-09 07:34:57 +01:00
7813f90ce6 Merge pull request #1789 from mheon/fix_add_hosts_test
Accurately update state if prepare() partially fails
2018-11-09 09:41:26 -08:00
7e15084d19 Accurately update state if prepare() partially fails
We are seeing some issues where, when part of prepare() fails
(originally noticed due to a bad static IP), the other half does
not successfully clean up, and the state can be left in a bad
place (not knowing about an active SHM mount for example).

Signed-off-by: Matthew Heon <mheon@redhat.com>
2018-11-08 16:51:57 -05:00
46e672bad6 correct assignment of networkStatus
once we changed configureNetNS to return a result beyond an error,
we need to make sure that we used locals instead of ctr attributes
when determining networks.

Resolves #1752

Signed-off-by: baude <bbaude@redhat.com>
2018-11-08 14:22:10 -06:00
ea50ce6a59 rootless: avoid hang on failed slirp4netns
If for any reason slirp4netns fails at startup, podman waits
indefinitely.  Check every second if the process is still running so
that we avoid to hang.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-31 13:08:23 +01:00
e2aef6341d run prepare in parallel
run prepare() -- which consists of creating a network namespace and
mounting the container image is now run in parallel.   This saves 25-40ms.

Signed-off-by: baude <bbaude@redhat.com>
2018-10-25 06:34:23 -05:00
5c5163107c Temporary commit to swap branches
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-10-11 11:10:23 -04:00
d377a51578 Replace existing iptables handler with firewall code
Use the new firewall code vendored from CNI to replace the
existing iptables rule addition handler we had in place. This
adds proper support for firewalld and should be much better at
interacting with the firewall.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1431
Approved by: baude
2018-09-10 18:53:27 +00:00
149481a571 Fixed segfault in stats where container had netNS none or from container
Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1306
Approved by: rhatdan
2018-08-21 15:37:39 +00:00
d20f3a5146 switch projectatomic to containers
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1270
Approved by: mheon
2018-08-16 17:12:36 +00:00
cfcd928476 network: add support for rootless network with slirp4netns
slirp4netns is required to setup the network namespace:

https://github.com/rootless-containers/slirp4netns

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1156
Approved by: rhatdan
2018-07-31 13:39:29 +00:00
8c52aa15f0 Fix handling of Linux network namespaces
The CNI plugins upstream removed their network namespace creation
code, making it a test package only. Copy it into our repository
and slightly modify it for our use (most notably, use MNT_DETACH
when unmounting namespaces).

This new CNI code splits closing and unmounting network
namespaces, which allows us to greatly reduce the number of
occasions on which we call teardownNetwork() and make more errors
in that function fatal instead of warnings. Instead, we can call
Close() and just close the open file descriptor in cases where
the namespace has already been cleaned up.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1165
Approved by: baude
2018-07-27 02:48:15 +00:00
4f699db8da Support multiple networks
This is a refresh of Dan William's PR #974 with a rebase and proper
vendoring of ocicni and containernetworking/cni.  It adds the ability
to define multiple networks as so:

podman run --network=net1,net2,foobar ...

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1082
Approved by: baude
2018-07-12 21:45:47 +00:00
cc6f0e85f9 more changes to compile darwin
this should represent the last major changes to get darwin to **compile**.  again,
the purpose here is to get darwin to compile so that we can eventually implement a
ci task that would protect against regressions for darwin compilation.

i have left the manual darwin compilation largely static still and in fact now only
interject (manually) two build tags to assist with the build.  trevor king has great
ideas on how to make this better and i will defer final implementation of those
to him.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1047
Approved by: rhatdan
2018-07-05 16:05:12 +00:00
b96be3af1b changes to allow for darwin compilation
Signed-off-by: baude <bbaude@redhat.com>

Closes: #1015
Approved by: baude
2018-06-29 20:44:09 +00:00