Add support for netns

This change allows for users to pass in a custom network namespace in
the create vm request. This will then pass that netns to the SDK which
will run the VM in that netns.

Signed-off-by: xibz <[email protected]>

Author: xibz

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/docker/go-events v0.0.0-20170721190031-9461782956ad // indirect
 	github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 // indirect
 	github.com/docker/go-units v0.3.3
-	github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20191029213755-dbf9a1e05f09
+	github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384 // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible

go.sum

@@ -61,6 +61,8 @@ github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20191029213755-dbf9a1e05f09 h1:JDfRpK+V2J1Es+Xm6aMJjCqvA4xv1kuWnJfeSopyDwo=
 github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20191029213755-dbf9a1e05f09/go.mod h1:tVXziw7GjioCKVjI5/agymYxUaqJM6q7cp9e6kwjo8Q=
+github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf h1:HlqW7e7IwSIHBHJg4gBN6Kz9afSnEmB3+9e4/iTbBTw=
+github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf/go.mod h1:kW0gxvPpPvMukUxxTO9DrpSlScrtrTDGY3VgjAj/Qwc=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=

proto/firecracker.pb.go

@@ -72,5 +72,6 @@ message GetVMMetadataResponse {
 }
 
 message JailerConfig {
+    string NetNS = 1;
 }
 

proto/firecracker.proto

@@ -23,6 +23,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"sync"
 	"syscall"
 
 	"github.com/firecracker-microvm/firecracker-go-sdk"
@@ -46,10 +47,13 @@ type runcJailer struct {
 	runcBinaryPath string
 	uid            uint32
 	gid            uint32
+	once           sync.Once
 }
 
 const firecrackerFileName = "firecracker"
 
+var configSpec *specs.Spec
+
 func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, runcBinPath string, uid, gid uint32) (*runcJailer, error) {
 	l := logger.WithField("ociBundlePath", ociBundlePath).
 		WithField("runcBinaryPath", runcBinPath)
@@ -77,17 +81,17 @@ func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, run
 
 // JailPath returns the base directory from where the jail binary will be ran
 // from
-func (j runcJailer) OCIBundlePath() string {
+func (j *runcJailer) OCIBundlePath() string {
 	return j.ociBundlePath
 }
 
 // RootPath returns the root fs of the jailed system.
-func (j runcJailer) RootPath() string {
+func (j *runcJailer) RootPath() string {
 	return filepath.Join(j.OCIBundlePath(), rootfsFolder)
 }
 
 // JailPath will return the OCI bundle rootfs path
-func (j runcJailer) JailPath() vm.Dir {
+func (j *runcJailer) JailPath() vm.Dir {
 	return vm.Dir(j.RootPath())
 }
 
@@ -100,6 +104,12 @@ func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.
 	// Build a new client since BuildJailedRootHandler modifies the socket path value.
 	client := firecracker.NewClient(machineConfig.SocketPath, j.logger, machineConfig.Debug)
 
+	if machineConfig.NetNS == "" {
+		if netns := getNetNS(configSpec); netns != "" {
+			machineConfig.NetNS = netns
+		}
+	}
+
 	opts := []firecracker.Opt{
 		firecracker.WithProcessRunner(j.jailerCommand(vmID, cfg.Debug)),
 		firecracker.WithClient(client),
@@ -206,7 +216,7 @@ func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmI
 
 // BuildLinkFifoHandler will return a new firecracker.Handler with the function
 // that will allow linking of the fifos making them visible to Firecracker.
-func (j runcJailer) BuildLinkFifoHandler() firecracker.Handler {
+func (j *runcJailer) BuildLinkFifoHandler() firecracker.Handler {
 	return firecracker.Handler{
 		Name: jailerFifoHandlerName,
 		Fn: func(ctx context.Context, m *firecracker.Machine) error {
@@ -232,7 +242,7 @@ func (j runcJailer) BuildLinkFifoHandler() firecracker.Handler {
 
 // StubDrivesOptions will return a set of options used to create a new stub
 // drive handler.
-func (j runcJailer) StubDrivesOptions() []stubDrivesOpt {
+func (j *runcJailer) StubDrivesOptions() []stubDrivesOpt {
 	return []stubDrivesOpt{
 		func(drives []models.Drive) error {
 			for _, drive := range drives {
@@ -251,7 +261,7 @@ func (j runcJailer) StubDrivesOptions() []stubDrivesOpt {
 // the jail. For block devices we will use mknod to create the device and then
 // set the correct permissions to ensure visibility in the jail. Regular files
 // will be copied into the jail.
-func (j runcJailer) ExposeFileToJail(srcPath string) error {
+func (j *runcJailer) ExposeFileToJail(srcPath string) error {
 	uid := j.uid
 	gid := j.gid
 
@@ -340,7 +350,7 @@ func copyFile(src, dst string, mode os.FileMode) error {
 	return nil
 }
 
-func (j runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd {
+func (j *runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd {
 	cmd := exec.CommandContext(j.ctx, j.runcBinaryPath, "run", containerName)
 	cmd.Dir = j.OCIBundlePath()
 
@@ -353,36 +363,48 @@ func (j runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd
 }
 
 // overwriteConfig will set the proper default values if a field had not been set.
-//
-// TODO: Add netns
-func (j runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string) error {
-	spec := specs.Spec{}
-	configBytes, err := ioutil.ReadFile(configPath)
-	if err != nil {
-		return err
-	}
+func (j *runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string) error {
+	var err error
+	j.once.Do(func() {
+		if configSpec == nil {
+			spec := specs.Spec{}
+			var configBytes []byte
+			configBytes, err = ioutil.ReadFile(configPath)
+			if err != nil {
+				return
+			}
 
-	if err := json.Unmarshal(configBytes, &spec); err != nil {
-		return err
-	}
+			if err = json.Unmarshal(configBytes, &spec); err != nil {
+				return
+			}
 
-	if spec.Process.User.UID != 0 ||
-		spec.Process.User.GID != 0 {
-		return fmt.Errorf(
-			"using UID %d and GID %d, these values must not be set",
-			spec.Process.User.UID,
-			spec.Process.User.GID,
-		)
-	}
+			configSpec = &spec
 
-	spec = j.setDefaultConfigValues(cfg, socketPath, spec)
+			if spec.Process.User.UID != 0 ||
+				spec.Process.User.GID != 0 {
+				err = fmt.Errorf(
+					"using UID %d and GID %d, these values must not be set",
+					spec.Process.User.UID,
+					spec.Process.User.GID,
+				)
+				return
+			}
 
-	spec.Root.Path = rootfsFolder
-	spec.Root.Readonly = false
+			spec = j.setDefaultConfigValues(cfg, socketPath, spec)
+			spec.Root.Path = rootfsFolder
+			spec.Root.Readonly = false
+		}
+	})
+
+	if err != nil {
+		return err
+	}
+
+	spec := *configSpec
 	spec.Process.User.UID = j.uid
 	spec.Process.User.GID = j.gid
 
-	configBytes, err = json.Marshal(&spec)
+	configBytes, err := json.Marshal(&spec)
 	if err != nil {
 		return err
 	}
@@ -396,7 +418,7 @@ func (j runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string)
 
 // setDefaultConfigValues will process the spec file provided and allow any
 // empty/zero values to be replaced with default values.
-func (j runcJailer) setDefaultConfigValues(cfg *Config, socketPath string, spec specs.Spec) specs.Spec {
+func (j *runcJailer) setDefaultConfigValues(cfg *Config, socketPath string, spec specs.Spec) specs.Spec {
 	if spec.Process == nil {
 		spec.Process = &specs.Process{}
 	}
@@ -448,3 +470,17 @@ func mkdirAllWithPermissions(path string, mode os.FileMode, uid, gid uint32) err
 
 	return nil
 }
+
+func getNetNS(spec *specs.Spec) string {
+	if spec == nil {
+		return ""
+	}
+
+	for _, ns := range spec.Linux.Namespaces {
+		if ns.Type == "network" {
+			return ns.Path
+		}
+	}
+
+	return ""
+}

runtime/runc_jailer.go

@@ -712,6 +712,10 @@ func (s *service) buildVMConfiguration(req *proto.CreateVMRequest) (*firecracker
 		VMID:        s.vmID,
 	}
 
+	if req.JailerConfig != nil {
+		cfg.NetNS = req.JailerConfig.NetNS
+	}
+
 	s.logger.Debugf("using socket path: %s", cfg.SocketPath)
 
 	// Kernel configuration