CI: add oci-rootless-slirp4netns-detachnetns

Signed-off-by: Akihiro Suda <[email protected]>

.github/workflows/.test.yml

@@ -115,6 +115,7 @@ jobs:
           - containerd-snapshotter-stargz
           - oci
           - oci-rootless
+          - oci-rootless-slirp4netns-detachnetns
           - oci-snapshotter-stargz
         pkg: ${{ fromJson(needs.prepare.outputs.pkgs) }}
         kind: ${{ fromJson(needs.prepare.outputs.kinds) }}

Dockerfile

@@ -5,7 +5,7 @@ ARG CONTAINERD_VERSION=v1.7.11
 # containerd v1.6 for integration tests
 ARG CONTAINERD_ALT_VERSION_16=v1.6.24
 ARG REGISTRY_VERSION=2.8.3
-ARG ROOTLESSKIT_VERSION=v1.0.1
+ARG ROOTLESSKIT_VERSION=v2.0.0
 ARG CNI_VERSION=v1.3.0
 ARG STARGZ_SNAPSHOTTER_VERSION=v0.14.3
 ARG NERDCTL_VERSION=v1.6.2
@@ -327,7 +327,7 @@ COPY --link --from=buildkitd /usr/bin/buildkitd /buildkitd.exe
 
 FROM buildkit-base AS integration-tests-base
 ENV BUILDKIT_INTEGRATION_ROOTLESS_IDPAIR="1000:1000"
-RUN apk add --no-cache shadow shadow-uidmap sudo vim iptables ip6tables dnsmasq fuse curl git-daemon openssh-client \
+RUN apk add --no-cache shadow shadow-uidmap sudo vim iptables ip6tables dnsmasq fuse curl git-daemon openssh-client slirp4netns iproute2 \
   && useradd --create-home --home-dir /home/user --uid 1000 -s /bin/sh user \
   && echo "XDG_RUNTIME_DIR=/run/user/1000; export XDG_RUNTIME_DIR" >> /home/user/.profile \
   && mkdir -m 0700 -p /run/user/1000 \

client/client_test.go

@@ -313,7 +313,7 @@ func testBridgeNetworking(t *testing.T, sb integration.Sandbox) {
 	if os.Getenv("BUILDKIT_RUN_NETWORK_INTEGRATION_TESTS") == "" {
 		t.SkipNow()
 	}
-	if sb.Rootless() {
+	if sb.Rootless() { // bridge is not used by default, even with detach-netns
 		t.SkipNow()
 	}
 	c, err := New(sb.Context(), sb.Address())
@@ -563,7 +563,7 @@ func testExportBusyboxLocal(t *testing.T, sb integration.Sandbox) {
 
 func testHostnameLookup(t *testing.T, sb integration.Sandbox) {
 	integration.SkipOnPlatform(t, "windows")
-	if sb.Rootless() {
+	if sb.Rootless() { // bridge is not used by default, even with detach-netns
 		t.SkipNow()
 	}
 
@@ -583,7 +583,7 @@ func testHostnameLookup(t *testing.T, sb integration.Sandbox) {
 // moby/buildkit#1301
 func testHostnameSpecifying(t *testing.T, sb integration.Sandbox) {
 	integration.SkipOnPlatform(t, "windows")
-	if sb.Rootless() {
+	if sb.Rootless() { // bridge is not used by default, even with detach-netns
 		t.SkipNow()
 	}
 

frontend/dockerfile/dockerfile_runnetwork_test.go

@@ -31,7 +31,7 @@ func testRunDefaultNetwork(t *testing.T, sb integration.Sandbox) {
 	if os.Getenv("BUILDKIT_RUN_NETWORK_INTEGRATION_TESTS") == "" {
 		t.SkipNow()
 	}
-	if sb.Rootless() {
+	if sb.Rootless() { // bridge is not used by default, even with detach-netns
 		t.SkipNow()
 	}
 

util/testutil/integration/run.go

@@ -38,6 +38,7 @@ type Backend interface {
 	ContainerdAddress() string
 
 	Rootless() bool
+	NetNSDetached() bool
 	Snapshotter() string
 	Supports(feature string) bool
 }
@@ -66,6 +67,7 @@ type Worker interface {
 	Close() error
 	Name() string
 	Rootless() bool
+	NetNSDetached() bool
 }
 
 type ConfigUpdater interface {

util/testutil/workers/backend.go

@@ -10,6 +10,7 @@ type backend struct {
 	dockerAddress       string
 	containerdAddress   string
 	rootless            bool
+	netnsDetached       bool
 	snapshotter         string
 	unsupportedFeatures []string
 	isDockerd           bool
@@ -31,6 +32,10 @@ func (b backend) Rootless() bool {
 	return b.rootless
 }
 
+func (b backend) NetNSDetached() bool {
+	return b.netnsDetached
+}
+
 func (b backend) Snapshotter() string {
 	return b.snapshotter
 }

util/testutil/workers/containerd.go

@@ -55,6 +55,8 @@ func InitContainerdWorker() {
 				GID:         gid,
 				Snapshotter: "native", // TODO: test with fuse-overlayfs as well, or automatically determine snapshotter
 			})
+
+			// TODO: add RootlessKitDetachNetNS after updating containerd-rootless.sh to include https://github.com/containerd/nerdctl/pull/2723
 		}
 	}
 
@@ -84,6 +86,10 @@ func (c *Containerd) Rootless() bool {
 	return c.UID != 0
 }
 
+func (c *Containerd) NetNSDetached() bool {
+	return false
+}
+
 func (c *Containerd) New(ctx context.Context, cfg *integration.BackendConfig) (b integration.Backend, cl func() error, err error) {
 	if err := integration.LookupBinary(c.Containerd); err != nil {
 		return nil, nil, err
@@ -236,6 +242,7 @@ disabled_plugins = ["cri"]
 		address:           buildkitdSock,
 		containerdAddress: address,
 		rootless:          rootless,
+		netnsDetached:     false,
 		snapshotter:       c.Snapshotter,
 	}, cl, nil
 }

util/testutil/workers/dockerd.go

@@ -71,6 +71,10 @@ func (c Moby) Rootless() bool {
 	return c.IsRootless
 }
 
+func (c Moby) NetNSDetached() bool {
+	return false
+}
+
 func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integration.Backend, cl func() error, err error) {
 	if err := requireRoot(); err != nil {
 		return nil, nil, err
@@ -224,6 +228,7 @@ func (c Moby) New(ctx context.Context, cfg *integration.BackendConfig) (b integr
 		address:             "unix://" + listener.Addr().String(),
 		dockerAddress:       d.Sock(),
 		rootless:            c.IsRootless,
+		netnsDetached:       false,
 		isDockerd:           true,
 		unsupportedFeatures: c.Unsupported,
 	}, cl, nil

util/testutil/workers/oci.go

@@ -19,10 +19,12 @@ func InitOCIWorker() {
 }
 
 type OCI struct {
-	ID          string
-	UID         int
-	GID         int
-	Snapshotter string
+	ID                     string
+	UID                    int
+	GID                    int
+	Snapshotter            string
+	RootlessKitNet         string // e.g., "slirp4netns"
+	RootlessKitDetachNetNS bool   // needs RootlessKitNet to be non-host network
 }
 
 func (s *OCI) Name() string {
@@ -33,6 +35,10 @@ func (s *OCI) Rootless() bool {
 	return s.UID != 0
 }
 
+func (s *OCI) NetNSDetached() bool {
+	return s.Rootless() && s.RootlessKitDetachNetNS
+}
+
 func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integration.Backend, func() error, error) {
 	if err := integration.LookupBinary("buildkitd"); err != nil {
 		return nil, nil, err
@@ -52,8 +58,19 @@ func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integrat
 		if s.GID == 0 {
 			return nil, nil, errors.Errorf("unsupported id pair: uid=%d, gid=%d", s.UID, s.GID)
 		}
+		var rootlessKitArgs []string
+		switch s.RootlessKitNet {
+		case "", "host":
+		// NOP
+		default:
+			// See docs/rootless.md
+			rootlessKitArgs = append(rootlessKitArgs, "--net="+s.RootlessKitNet, "--copy-up=/etc", "--disable-host-loopback")
+		}
+		if s.RootlessKitDetachNetNS {
+			rootlessKitArgs = append(rootlessKitArgs, "--detach-netns")
+		}
 		// TODO: make sure the user exists and subuid/subgid are configured.
-		buildkitdArgs = append([]string{"sudo", "-u", fmt.Sprintf("#%d", s.UID), "-i", "--", "exec", "rootlesskit"}, buildkitdArgs...)
+		buildkitdArgs = append(append([]string{"sudo", "-u", fmt.Sprintf("#%d", s.UID), "-i", "--", "exec", "rootlesskit"}, rootlessKitArgs...), buildkitdArgs...)
 	}
 
 	var extraEnv []string
@@ -67,9 +84,10 @@ func (s *OCI) New(ctx context.Context, cfg *integration.BackendConfig) (integrat
 	}
 
 	return backend{
-		address:     buildkitdSock,
-		rootless:    s.UID != 0,
-		snapshotter: s.Snapshotter,
+		address:       buildkitdSock,
+		rootless:      s.UID != 0,
+		netnsDetached: s.NetNSDetached(),
+		snapshotter:   s.Snapshotter,
 	}, stop, nil
 }
 

util/testutil/workers/oci_unix.go

@@ -22,6 +22,8 @@ func initOCIWorker() {
 		}
 		if integration.RootlessSupported(uid) {
 			integration.Register(&OCI{ID: "oci-rootless", UID: uid, GID: gid})
+			integration.Register(&OCI{ID: "oci-rootless-slirp4netns-detachnetns", UID: uid, GID: gid,
+				RootlessKitNet: "slirp4netns", RootlessKitDetachNetNS: true})
 		}
 	}