start firecracker VM in non-default netns, when specified

aaithal · aaithal · commit 76df9377ea11 · 2019-03-04T17:13:32.000Z
If the client specifies a network namespace name in the firecracker
VM config, use that to start the firecracker process.

Signed-off-by: Anirudh Aithal &lt;aithal@amazon.com&gt;
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3 // indirect
 	github.com/containerd/ttrpc v0.0.0-20181001154009-f51df4475b76
 	github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19
+	github.com/containernetworking/plugins v0.7.4
 	github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/docker v1.13.1 // indirect
diff --git a/go.sum b/go.sum
@@ -30,6 +30,8 @@ github.com/containerd/ttrpc v0.0.0-20181001154009-f51df4475b76 h1:vUPO9S35+FvukX
 github.com/containerd/ttrpc v0.0.0-20181001154009-f51df4475b76/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19 h1:gzdItdct+4eLnZxiZi1YcIXx3uo5QWa/xXKnsldEqY8=
 github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containernetworking/plugins v0.7.4 h1:ugkuXfg1Pdzm54U5DGMzreYIkZPSCmSq4rm5TIXVICA=
+github.com/containernetworking/plugins v0.7.4/go.mod h1:dagHaAhNjXjT9QYOklkKJDGaQPTg4pf//FrUcJeb7FU=
 github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 h1:3jFq2xL4ZajGK4aZY8jz+DAF0FHjI51BXjjSwCzS1Dk=
 github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
diff --git a/runtime/service.go b/runtime/service.go
@@ -22,6 +22,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	pkgruntime "runtime"
 	"syscall"
 	"time"
 	"unsafe"
@@ -37,6 +38,7 @@ import (
 	"github.com/containerd/fifo"
 	"github.com/containerd/ttrpc"
 	"github.com/containerd/typeurl"
+	"github.com/containernetworking/plugins/pkg/ns"
 	firecracker "github.com/firecracker-microvm/firecracker-go-sdk"
 	models "github.com/firecracker-microvm/firecracker-go-sdk/client/models"
 	ptypes "github.com/gogo/protobuf/types"
@@ -52,6 +54,7 @@ import (
 const (
 	defaultVsockPort     = 10789
 	supportedMountFSType = "ext4"
+	namedNetNSPath       = "/var/run/netns/"
 )
 
 // implements shimapi
@@ -683,7 +686,7 @@ func (s *service) startVM(ctx context.Context,
 	s.machineCID = cid
 
 	log.G(ctx).Info("starting instance")
-	if err := s.machine.Start(vmmCtx); err != nil {
+	if err := s.netNSStartVM(vmmCtx, vmConfig); err != nil {
 		return nil, err
 	}
 
@@ -702,6 +705,30 @@ func (s *service) startVM(ctx context.Context,
 	return apiClient, nil
 }
 
+// netNSStartVM starts the firecracker process with the network namespace
+// specified in the VM config. If the namespace is not specified, the process
+// is started in the default network namespace.
+func (s *service) netNSStartVM(vmmCtx context.Context, vmConfig *proto.FirecrackerConfig) error {
+	netNSName := netNSFromProto(vmConfig)
+	if netNSName == "" {
+		return s.machine.Start(vmmCtx)
+	}
+	// Get the network namespace handle.
+	netNS, err := ns.GetNS(namedNetNSPath + netNSName)
+	if err != nil {
+		return errors.Wrapf(err, "unable to find netns %s", netNSName)
+	}
+	// It's unsafe to switch network namespaces without locking down the OS
+	// thread. Lock it for the start VM operation.
+	pkgruntime.LockOSThread()
+	defer pkgruntime.UnlockOSThread()
+
+	return netNS.Do(func(_ ns.NetNS) error {
+		// Start the firecracker process in the target network namespace.
+		return s.machine.Start(vmmCtx)
+	})
+}
+
 func (s *service) stopVM() error {
 	return s.machine.StopVMM()
 }
diff --git a/runtime/taskfirecrackeropts.go b/runtime/taskfirecrackeropts.go
@@ -69,6 +69,16 @@ func overrideVMConfigFromTaskOpts(
 	return cfg, drivesBuilder, nil
 }
 
+// netNSFromProto returns the network namespace set, if any in the protobuf
+// message.
+func netNSFromProto(vmConfig *proto.FirecrackerConfig) string {
+	if vmConfig != nil {
+		return vmConfig.FirecrackerNetworkNamespace
+	}
+
+	return ""
+}
+
 // networkConfigFromProto creates a firecracker NetworkInterface object from
 // the protobuf FirecrackerNetworkInterface message.
 func networkConfigFromProto(nwIface *proto.FirecrackerNetworkInterface) firecracker.NetworkInterface {

-Original file line number
+Diff line change
 	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3 // indirect
 	github.com/containerd/ttrpc v0.0.0-20181001154009-f51df4475b76
 	github.com/containerd/typeurl v0.0.0-20181015155603-461401dc8f19
 +	github.com/containernetworking/plugins v0.7.4
 	github.com/coreos/go-systemd v0.0.0-20181031085051-9002847aa142 // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/docker v1.13.1 // indirect