fixup! Add support for netns

Signed-off-by: xibz <[email protected]>

Author: xibz

runtime/cni_integ_test.go

@@ -39,8 +39,18 @@ import (
 )
 
 func TestCNISupport_Isolated(t *testing.T) {
-	prepareIntegTest(t)
+	t.Run("With jailer", func(t *testing.T) {
+		prepareIntegTest(t, withJailer())
+		testCNISupport(t)
+	})
+
+	t.Run("Without jailer", func(t *testing.T) {
+		prepareIntegTest(t)
+		testCNISupport(t)
+	})
+}
 
+func testCNISupport(t *testing.T) {
 	testTimeout := 120 * time.Second
 	ctx, cancel := context.WithTimeout(namespaces.WithNamespace(context.Background(), defaultNamespace), testTimeout)
 	defer cancel()

runtime/runc_jailer.go

@@ -36,6 +36,10 @@ import (
 	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 )
 
+const (
+	networkNamespaceRuncName = "network"
+)
+
 // runcJailer uses runc to set up a jailed environment for the Firecracker VM.
 type runcJailer struct {
 	ctx    context.Context
@@ -97,7 +101,7 @@ func (j *runcJailer) JailPath() vm.Dir {
 // instance. In addition, some configuration values will be overwritten to the
 // jailed values, like SocketPath in the machineConfig.
 func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.Config, vmID string) ([]firecracker.Opt, error) {
-	handler := j.BuildJailedRootHandler(cfg, &machineConfig.SocketPath, vmID)
+	handler := j.BuildJailedRootHandler(cfg, machineConfig, vmID)
 	fifoHandler := j.BuildLinkFifoHandler()
 	// Build a new client since BuildJailedRootHandler modifies the socket path value.
 	client := firecracker.NewClient(machineConfig.SocketPath, j.logger, machineConfig.Debug)
@@ -128,10 +132,10 @@ func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.
 
 // BuildJailedRootHandler will populate the jail with the necessary files, which may be
 // device nodes, hard links, and/or bind-mount targets
-func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmID string) firecracker.Handler {
+func (j *runcJailer) BuildJailedRootHandler(cfg *Config, machineConfig *firecracker.Config, vmID string) firecracker.Handler {
 	ociBundlePath := j.OCIBundlePath()
 	rootPath := j.RootPath()
-	*socketPath = filepath.Join(rootPath, "api.socket")
+	machineConfig.SocketPath = filepath.Join(rootPath, "api.socket")
 
 	return firecracker.Handler{
 		Name: jailerHandlerName,
@@ -144,7 +148,7 @@ func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmI
 			}
 
 			j.logger.Debug("Overwritting process args of config")
-			if err := j.overwriteConfig(cfg, filepath.Base(m.Cfg.SocketPath), rootPathToConfig); err != nil {
+			if err := j.overwriteConfig(cfg, machineConfig, filepath.Base(m.Cfg.SocketPath), rootPathToConfig); err != nil {
 				return errors.Wrap(err, "failed to overwrite config.json")
 			}
 
@@ -363,7 +367,7 @@ func (j *runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd
 }
 
 // overwriteConfig will set the proper default values if a field had not been set.
-func (j *runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string) error {
+func (j *runcJailer) overwriteConfig(cfg *Config, machineConfig *firecracker.Config, socketPath, configPath string) error {
 	var err error
 	j.once.Do(func() {
 		if configSpec == nil {
@@ -404,6 +408,26 @@ func (j *runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string)
 	spec.Process.User.UID = j.uid
 	spec.Process.User.GID = j.gid
 
+	// remove the network namespace if there exists a CNI
+	if hasCNI(machineConfig.NetworkInterfaces) {
+		namespaces := []specs.LinuxNamespace{}
+		for _, ns := range spec.Linux.Namespaces {
+			if ns.Type != networkNamespaceRuncName {
+				namespaces = append(namespaces, ns)
+			}
+		}
+
+		spec.Linux.Namespaces = namespaces
+	} else if machineConfig.NetNS != "" {
+		for i, ns := range spec.Linux.Namespaces {
+			if ns.Type == networkNamespaceRuncName {
+				ns.Path = machineConfig.NetNS
+				spec.Linux.Namespaces[i] = ns
+				break
+			}
+		}
+	}
+
 	configBytes, err := json.Marshal(&spec)
 	if err != nil {
 		return err
@@ -477,10 +501,20 @@ func getNetNS(spec *specs.Spec) string {
 	}
 
 	for _, ns := range spec.Linux.Namespaces {
-		if ns.Type == "network" {
+		if ns.Type == networkNamespaceRuncName {
 			return ns.Path
 		}
 	}
 
 	return ""
 }
+
+func hasCNI(interfaces firecracker.NetworkInterfaces) bool {
+	for _, iface := range interfaces {
+		if iface.CNIConfiguration != nil {
+			return true
+		}
+	}
+
+	return false
+}

runtime/runc_jailer_test.go

@@ -61,21 +61,21 @@ func TestBuildJailedRootHandler_Isolated(t *testing.T) {
 		KernelImagePath:       kernelImagePath,
 		RootDrive:             rootDrivePath,
 	}
-	socketPath := "/path/to/api.socket"
+	machineConfig := firecracker.Config{
+		SocketPath:      "/path/to/api.socket",
+		KernelImagePath: kernelImagePath,
+		Drives: []models.Drive{
+			{
+				PathOnHost:   firecracker.String(rootDrivePath),
+				IsRootDevice: firecracker.Bool(true),
+			},
+		},
+	}
 	vmID := "foo"
-	handler := jailer.BuildJailedRootHandler(&cfg, &socketPath, vmID)
+	handler := jailer.BuildJailedRootHandler(&cfg, &machineConfig, vmID)
 
 	machine := firecracker.Machine{
-		Cfg: firecracker.Config{
-			SocketPath:      socketPath,
-			KernelImagePath: kernelImagePath,
-			Drives: []models.Drive{
-				{
-					PathOnHost:   firecracker.String(rootDrivePath),
-					IsRootDevice: firecracker.Bool(true),
-				},
-			},
-		},
+		Cfg: machineConfig,
 	}
 	err = handler.Fn(context.Background(), &machine)
 	assert.NoError(t, err, "jailed handler failed to run")

tools/docker/Dockerfile

@@ -151,7 +151,7 @@ COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/firecracker /usr
 COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/jailer /usr/local/bin/
 COPY _submodules/runc/runc /usr/local/bin
 COPY tools/image-builder/rootfs.img /var/lib/firecracker-containerd/runtime/default-rootfs.img
-COPY tools/docker//firecracker-runc-config.json /etc/containerd/firecracker-runc-config.json
+COPY runtime/firecracker-runc-config.json.example /etc/containerd/firecracker-runc-config.json
 
 # pull the images the tests need into the content store so we don't need internet
 # access during the tests themselves