fixup! Add support for netns

Signed-off-by: xibz <[email protected]>

Author: xibz

go.sum

@@ -59,8 +59,6 @@ github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zF
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20191029213755-dbf9a1e05f09 h1:JDfRpK+V2J1Es+Xm6aMJjCqvA4xv1kuWnJfeSopyDwo=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20191029213755-dbf9a1e05f09/go.mod h1:tVXziw7GjioCKVjI5/agymYxUaqJM6q7cp9e6kwjo8Q=
 github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf h1:HlqW7e7IwSIHBHJg4gBN6Kz9afSnEmB3+9e4/iTbBTw=
 github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf/go.mod h1:kW0gxvPpPvMukUxxTO9DrpSlScrtrTDGY3VgjAj/Qwc=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=

runtime/cni_integ_test.go

@@ -39,8 +39,7 @@ import (
 )
 
 func TestCNISupport_Isolated(t *testing.T) {
-	prepareIntegTest(t)
-
+	prepareIntegTest(t, withJailer())
 	testTimeout := 120 * time.Second
 	ctx, cancel := context.WithTimeout(namespaces.WithNamespace(context.Background(), defaultNamespace), testTimeout)
 	defer cancel()

runtime/runc_jailer.go

@@ -36,6 +36,10 @@ import (
 	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 )
 
+const (
+	networkNamespaceRuncName = "network"
+)
+
 // runcJailer uses runc to set up a jailed environment for the Firecracker VM.
 type runcJailer struct {
 	ctx    context.Context
@@ -99,7 +103,7 @@ func (j *runcJailer) JailPath() vm.Dir {
 // instance. In addition, some configuration values will be overwritten to the
 // jailed values, like SocketPath in the machineConfig.
 func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.Config, vmID string) ([]firecracker.Opt, error) {
-	handler := j.BuildJailedRootHandler(cfg, &machineConfig.SocketPath, vmID)
+	handler := j.BuildJailedRootHandler(cfg, machineConfig, vmID)
 	fifoHandler := j.BuildLinkFifoHandler()
 	// Build a new client since BuildJailedRootHandler modifies the socket path value.
 	client := firecracker.NewClient(machineConfig.SocketPath, j.logger, machineConfig.Debug)
@@ -130,10 +134,10 @@ func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.
 
 // BuildJailedRootHandler will populate the jail with the necessary files, which may be
 // device nodes, hard links, and/or bind-mount targets
-func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmID string) firecracker.Handler {
+func (j *runcJailer) BuildJailedRootHandler(cfg *Config, machineConfig *firecracker.Config, vmID string) firecracker.Handler {
 	ociBundlePath := j.OCIBundlePath()
 	rootPath := j.RootPath()
-	*socketPath = filepath.Join(rootPath, "api.socket")
+	machineConfig.SocketPath = filepath.Join(rootPath, "api.socket")
 
 	return firecracker.Handler{
 		Name: jailerHandlerName,
@@ -146,7 +150,7 @@ func (j *runcJailer) BuildJailedRootHandler(cfg *Config, socketPath *string, vmI
 			}
 
 			j.logger.Debug("Overwritting process args of config")
-			if err := j.overwriteConfig(cfg, filepath.Base(m.Cfg.SocketPath), rootPathToConfig); err != nil {
+			if err := j.overwriteConfig(cfg, machineConfig, filepath.Base(m.Cfg.SocketPath), rootPathToConfig); err != nil {
 				return errors.Wrap(err, "failed to overwrite config.json")
 			}
 
@@ -302,7 +306,7 @@ func (j *runcJailer) ExposeFileToJail(srcPath string) error {
 }
 
 // copyFileToJail will copy a file from src to dst, and chown the new file to the jail user.
-func (j runcJailer) copyFileToJail(src, dst string, mode os.FileMode) error {
+func (j *runcJailer) copyFileToJail(src, dst string, mode os.FileMode) error {
 	if err := copyFile(src, dst, mode); err != nil {
 		return err
 	}
@@ -363,37 +367,41 @@ func (j *runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd
 }
 
 // overwriteConfig will set the proper default values if a field had not been set.
-func (j *runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string) error {
+func (j *runcJailer) overwriteConfig(cfg *Config, machineConfig *firecracker.Config, socketPath, configPath string) error {
 	var err error
 	j.once.Do(func() {
-		if configSpec == nil {
-			spec := specs.Spec{}
-			var configBytes []byte
-			configBytes, err = ioutil.ReadFile(configPath)
-			if err != nil {
-				return
-			}
+		// here we attempt to cache the runc config. If the config has already been
+		// cached, we will return immediately
+		if configSpec != nil {
+			return
+		}
 
-			if err = json.Unmarshal(configBytes, &spec); err != nil {
-				return
-			}
+		spec := specs.Spec{}
+		var configBytes []byte
+		configBytes, err = ioutil.ReadFile(configPath)
+		if err != nil {
+			return
+		}
 
-			configSpec = &spec
+		if err = json.Unmarshal(configBytes, &spec); err != nil {
+			return
+		}
 
-			if spec.Process.User.UID != 0 ||
-				spec.Process.User.GID != 0 {
-				err = fmt.Errorf(
-					"using UID %d and GID %d, these values must not be set",
-					spec.Process.User.UID,
-					spec.Process.User.GID,
-				)
-				return
-			}
+		configSpec = &spec
 
-			spec = j.setDefaultConfigValues(cfg, socketPath, spec)
-			spec.Root.Path = rootfsFolder
-			spec.Root.Readonly = false
+		if spec.Process.User.UID != 0 ||
+			spec.Process.User.GID != 0 {
+			err = fmt.Errorf(
+				"using UID %d and GID %d, these values must not be set",
+				spec.Process.User.UID,
+				spec.Process.User.GID,
+			)
+			return
 		}
+
+		spec = j.setDefaultConfigValues(cfg, socketPath, spec)
+		spec.Root.Path = rootfsFolder
+		spec.Root.Readonly = false
 	})
 
 	if err != nil {
@@ -404,6 +412,16 @@ func (j *runcJailer) overwriteConfig(cfg *Config, socketPath, configPath string)
 	spec.Process.User.UID = j.uid
 	spec.Process.User.GID = j.gid
 
+	if machineConfig.NetNS != "" {
+		for i, ns := range spec.Linux.Namespaces {
+			if ns.Type == networkNamespaceRuncName {
+				ns.Path = machineConfig.NetNS
+				spec.Linux.Namespaces[i] = ns
+				break
+			}
+		}
+	}
+
 	configBytes, err := json.Marshal(&spec)
 	if err != nil {
 		return err
@@ -477,7 +495,7 @@ func getNetNS(spec *specs.Spec) string {
 	}
 
 	for _, ns := range spec.Linux.Namespaces {
-		if ns.Type == "network" {
+		if ns.Type == networkNamespaceRuncName {
 			return ns.Path
 		}
 	}

runtime/runc_jailer_test.go

@@ -61,22 +61,22 @@ func TestBuildJailedRootHandler_Isolated(t *testing.T) {
 		KernelImagePath:       kernelImagePath,
 		RootDrive:             rootDrivePath,
 	}
-	socketPath := "/path/to/api.socket"
+	machineConfig := firecracker.Config{
+		SocketPath:      "/path/to/api.socket",
+		KernelImagePath: kernelImagePath,
+		Drives: []models.Drive{
+			{
+				PathOnHost:   firecracker.String(rootDrivePath),
+				IsRootDevice: firecracker.Bool(true),
+				IsReadOnly:   firecracker.Bool(true),
+			},
+		},
+	}
 	vmID := "foo"
-	handler := jailer.BuildJailedRootHandler(&cfg, &socketPath, vmID)
+	handler := jailer.BuildJailedRootHandler(&cfg, &machineConfig, vmID)
 
 	machine := firecracker.Machine{
-		Cfg: firecracker.Config{
-			SocketPath:      socketPath,
-			KernelImagePath: kernelImagePath,
-			Drives: []models.Drive{
-				{
-					PathOnHost:   firecracker.String(rootDrivePath),
-					IsRootDevice: firecracker.Bool(true),
-					IsReadOnly:   firecracker.Bool(true),
-				},
-			},
-		},
+		Cfg: machineConfig,
 	}
 	err = handler.Fn(context.Background(), &machine)
 	assert.NoError(t, err, "jailed handler failed to run")

tools/docker/Dockerfile

@@ -152,7 +152,7 @@ COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/firecracker /usr
 COPY _submodules/firecracker/target/$FIRECRACKER_TARGET/release/jailer /usr/local/bin/
 COPY _submodules/runc/runc /usr/local/bin
 COPY tools/image-builder/rootfs.img /var/lib/firecracker-containerd/runtime/default-rootfs.img
-COPY tools/docker//firecracker-runc-config.json /etc/containerd/firecracker-runc-config.json
+COPY runtime/firecracker-runc-config.json.example /etc/containerd/firecracker-runc-config.json
 
 # pull the images the tests need into the content store so we don't need internet
 # access during the tests themselves