Implement CreateRuntime, Poststop hooks #46
Conversation
jail/conf.go
Outdated
| @@ -31,6 +31,7 @@ const ( | |||
| vnet.interface = "{{ join .VNetInterface ", " }}"; | |||
| {{- end }} | |||
| persist; | |||
| vnet; // FIXME: this must not be hardcoded | |||
There was a problem hiding this comment.
sic! need to figure out how to avoid hardcoding.
There was a problem hiding this comment.
In ocijail, I'm using annotations to let the container engine communicate what it needs to the OCI runtime. This should really be part of a FreeBSD extension to the OCI runtime spec but we don't have that yet.
There was a problem hiding this comment.
Lines 27-29 already have this handled as part of the existing extensions. Can you use that?
There was a problem hiding this comment.
The original idea was to have something that works with nerdctl from the start, so I hardcoded it just for the sake of illustration. I guess we're going to standardize the extensions, so I fixed that, thanks!
There was a problem hiding this comment.
nerdctl can also use the extensions until they've been standardized. That's what I've done with my ctr demos so far.
|
My CNI plugins are written to assume that they have access to the host's network utilities such as ifconfig and route. This is partly why I use a separately managed network jail as parent for the OCI jail. We cannot assume that these utilities exist inside the container image and we should not trust them even if they are present. In theory, it should be possible to use AF_NETLINK instead of ifconfig which would involve getting a netlink socket for the jail's vnet, e.g. by forking, attaching to the jail and sending a netlink socket fd back via a control message. Probably also would need to add freebsd support to github.com/vishvananda/netlink which is a fair bit of work. This approach would avoid the second network jail for simple containers. |
|
sadly, the go runtime doesn't support netlink on FreeBSD yet ref, golang/go#59865 |
I forgot about that part - the go runtime probably won't move forward to 13.2+ era until stable/12 reaches end of life. |
|
it especially won't do so, unless someone from FreeBSD submits patches. |
Inside the jail can't we just use ioctls that back ifconfig's functionality ( For I did that in my budget version of "CNI". (interface manipulations: https://github.com/akhramov/knast/blob/8c9f5f481a467a22c7cc47f11a28fe52536f9950/netzwerk/src/interface/operations.rs), (route: https://github.com/akhramov/knast/blob/8c9f5f481a467a22c7cc47f11a28fe52536f9950/netzwerk/src/route/bindings.rs) I can imagine that in go it may be way harder, though. |
|
That would also work but as you say, it might be messy in go. Also, since attaching to the jail is one way, it will need some rexec magic or similar to create a child process to enter the jail and perform the actions. |
|
One further option which is available in 14-current is that both ifconfig and route support a new '-j' option to perform the operations withing the specified jail. Looking at the commit logs, both changes wre intended to be merged to stable/13 but I don't think this has happened yet. This would be the lowest cost option for managing network state without needing two jails. |
|
if those options haven't been merged to stable/13 yet, we should prod somebody. |
|
I commented on https://reviews.freebsd.org/D40213 to suggest the MFC. For network stats in podman and cri-o, I would also need a corresponding change to netstat but that should be straightforward. |
|
I spent some time working on the plugins today and the 'ifconfig -j ' approach is viable - we can use a single jail with vnet=new for the container and the host's ifconfig and route utilities can safely initialise it after the call to OCI create and before OCI start. I will merge the ifconfig and route changes to stable/13 later this week so this should work in 13.3 as well as 14.0. |
jail/conf.go
Outdated
There was a problem hiding this comment.
A bit off topic,
I have not read the source code fully, but I think maybe it is better to corp with cli interface rather than the conf, then it will be flexible to add / regenerate options when creating jails.
We can move runj up to either of those releases. Since runj is still experimental, I don't have a problem targeting only recent versions of FreeBSD. |
jail/conf.go
Outdated
| @@ -31,6 +31,7 @@ const ( | |||
| vnet.interface = "{{ join .VNetInterface ", " }}"; | |||
| {{- end }} | |||
| persist; | |||
| vnet; // FIXME: this must not be hardcoded | |||
There was a problem hiding this comment.
Lines 27-29 already have this handled as part of the existing extensions. Can you use that?
akhramov
force-pushed
the
feature/CNI-jails
branch
from
f9584d9 to
d38188f
Compare
akhramov
force-pushed
the
feature/CNI-jails
branch
3 times, most recently
from
a00577b to
6fd0dcd
Compare
samuelkarp
force-pushed
the
feature/CNI-jails
branch
from
6fd0dcd to
ebe2b6e
Compare
Rebased to try and make CI pass. |
For CNI Networking, nerdctl sets up CreateRuntime and Poststop hooks. However runj does not support hooks at all. This change - adds preliminary support for hooks Signed-off-by: Artem Khramov <[email protected]>
Signed-off-by: Samuel Karp <[email protected]>
samuelkarp
force-pushed
the
feature/CNI-jails
branch
from
ebe2b6e to
d4ac22c
Compare
|
I've fixed a few issues with the tests (the whole setup of the integration tests is fairly hacky and not super resilient, nothing wrong with your code) and added a missing nil check for hooks. That makes the tests pass, but there's a bit of cruft left over since I'm going to merge this anyway, since the functionality is good and there are actual tests. If you want to take a crack at fixing |
Issue number:
Description of changes:
For CNI Networking, nerdctl sets up CreateRuntime and Poststop hooks. However runj does not support hooks at all.
This change
Testing done:
containerd/nerdctl/CNI plugins manual integration testing
Terms of contribution:
By submitting this pull request, I agree that this contribution is licensed under the terms found in the LICENSE file.