Merge pull request #281 from sipsma/use-firewall

Add firewall plugin to demo-network configuration.

Author: sipsma

Makefile

@@ -147,6 +147,10 @@ HOSTLOCAL_BIN?=$(CNI_BIN_ROOT)/host-local
 $(HOSTLOCAL_BIN): $(CNI_BIN_ROOT)
 	GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/ipam/host-local
 
+FIREWALL_BIN?=$(CNI_BIN_ROOT)/firewall
+$(FIREWALL_BIN): $(CNI_BIN_ROOT)
+	GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/meta/firewall
+
 TC_REDIRECT_TAP_BIN?=$(CNI_BIN_ROOT)/tc-redirect-tap
 $(TC_REDIRECT_TAP_BIN): $(CNI_BIN_ROOT)
 	GOBIN=$(CNI_BIN_ROOT) go install github.com/firecracker-microvm/firecracker-go-sdk/cni/cmd/tc-redirect-tap
@@ -157,7 +161,7 @@ $(FCNET_CONFIG):
 	cp tools/demo/fcnet.conflist $(FCNET_CONFIG)
 
 .PHONY: demo-network
-demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG)
+demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(FIREWALL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG)
 
 ##########################
 # Firecracker submodule

docs/getting-started.md

@@ -38,15 +38,11 @@ You need to have the following things in order to use firecracker-containerd:
 
   </details>
 * git
-* The Firecracker binary with the optional `vsock` feature enabled.  This
-  feature requires building from source; instructions for doing so are in the
-  [Firecracker getting started guide](https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md#building-from-source)
 * A root filesystem image (you can use the one
   [described here](https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md#running-firecracker)
   as `hello-rootfs.ext4`). 
 * A recent installation of [Docker CE](https://docker.com).
 * Go 1.11 or later, which you can download from [here](https://golang.org/dl/).
-* Rust 1.32 (and Cargo), which you can download from [here](https://rustup.rs/).
 
 ## Setup
 
@@ -279,28 +275,41 @@ previously cloned firecracker-containerd repository:
 $ sudo make demo-network
 ```
 
-You can check the Makefile to see exactly what is installed and where, but for a 
+You can check the Makefile to see exactly what is installed and where, but for a
 quick summary:
-* [`ptp` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) 
-  - Creates a [veth](http://man7.org/linux/man-pages/man4/veth.4.html) pair with 
-  one end in a private network namespace and the other end in the host's network namespace.
+* [`ptp` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp)
+  - Creates a [veth](http://man7.org/linux/man-pages/man4/veth.4.html) pair with
+  one end in a private network namespace and the other end in the host's network
+  namespace.
 * [`host-local` CNI
   plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
-  - Manages IP allocations of network devices present on the local machine by 
+  - Manages IP allocations of network devices present on the local machine by
   vending them from a statically defined subnet.
+* [`firewall` CNI
+  plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/firewall)
+  - Sets up firewall rules on the host that allows traffic to/from VMs via the host
+    network.
 * [`tc-redirect-tap` CNI
-  plugin](https://github.com/firecracker-microvm/firecracker-go-sdk/tree/master/cni) 
+  plugin](https://github.com/firecracker-microvm/firecracker-go-sdk/tree/master/cni)
   - A CNI plugin that adapts other CNI plugins to be usable by Firecracker VMs.
-  [See this doc for more details](networking.md). It is used here to adapt veth 
+  [See this doc for more details](networking.md). It is used here to adapt veth
   devices created by the `ptp` plugin to tap devices provided to VMs.
-* [`fcnet.conflist`](../tools/demo/fcnet.conflist) - A sample CNI configuration 
-  file that defines a `fcnet` network created via the `ptp`, `host-local` and 
+* [`fcnet.conflist`](../tools/demo/fcnet.conflist) - A sample CNI configuration
+  file that defines a `fcnet` network created via the `ptp`, `host-local` and
   `tc-redirect-tap` plugins
-
-After those dependencies are installed, an update to the firecracker-containerd 
-configuration file is required for VMs to use the `fcnet` CNI-configuration as 
-their default way of generating network interfaces. Just include the following `
-default_network_interfaces` key in your runtime configuration file (by default 
+  - Note that, by default, the nameserver configuration within your host's
+    `/etc/resolv.conf` will be parsed and provided to VMs as their nameserver
+	configuration. This can cause problems if your host is using a systemd
+	resolver or other resolver that operates on localhost (which results in the
+	VM using its own localhost as the nameserver instead of your host's). This
+	situation may require manual tweaking of the default CNI configuration, such
+	as specifying [static DNS configuration as part of the `ptp` plugin](
+	https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp#network-configuration-reference).
+
+After those dependencies are installed, an update to the firecracker-containerd
+configuration file is required for VMs to use the `fcnet` CNI-configuration as
+their default way of generating network interfaces. Just include the following
+`default_network_interfaces` key in your runtime configuration file (by default
 at `/etc/containerd/firecracker-runtime.json`):
 ```json
 "default_network_interfaces": [
@@ -313,19 +322,6 @@ at `/etc/containerd/firecracker-runtime.json`):
 ]
 ```
 
-After that, start up a container (as described in the above Usage section) and 
-try pinging your host IP.
-
-At the time of this writing, there is a bug in the ptp plugin that prevents the
-DNS settings from the IPAM plugin being propagated. This is being addressed, but
-until that time DNS resolution will require users manually tweak the installed
-CNI configuration to specify static DNS nameservers appropriate to their local
-network in [the `dns` section of the PTP plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp#network-configuration-reference)
-
-While your host's IP should always be reachable from the VM given the above
-networking setup, your VM may or may not have outbound internet access depending
-on the details of your host's network. The ptp plugin attempts to setup iptables
-rules to allow the VM's traffic to be forwarded on your host's network but may
-not be able to if there are pre-existing iptables rules that overlap. In those
-cases, granting your VM outbound internet access may require customization of
-the CNI configuration past what's installed above.
+After that, start up a container (as described in the above Usage section) and
+try pinging any IP available on your host. If your host has internet access,
+you should also be able to access the internet from the container too.

tools/demo/fcnet.conflist

@@ -1,5 +1,5 @@
 {
-  "cniVersion": "0.3.1",
+  "cniVersion": "0.4.0",
   "name": "fcnet",
   "plugins": [
     {
@@ -12,6 +12,9 @@
         "resolvConf": "/etc/resolv.conf"
       }
     },
+    {
+      "type": "firewall"
+    },
     {
       "type": "tc-redirect-tap"
     }