diff --git a/Makefile b/Makefile index 6d20e90b7..23a766cec 100644 --- a/Makefile +++ b/Makefile @@ -147,6 +147,10 @@ HOSTLOCAL_BIN?=$(CNI_BIN_ROOT)/host-local $(HOSTLOCAL_BIN): $(CNI_BIN_ROOT) GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/ipam/host-local +FIREWALL_BIN?=$(CNI_BIN_ROOT)/firewall +$(FIREWALL_BIN): $(CNI_BIN_ROOT) + GOBIN=$(CNI_BIN_ROOT) GO111MODULE=off go get -u github.com/containernetworking/plugins/plugins/meta/firewall + TC_REDIRECT_TAP_BIN?=$(CNI_BIN_ROOT)/tc-redirect-tap $(TC_REDIRECT_TAP_BIN): $(CNI_BIN_ROOT) GOBIN=$(CNI_BIN_ROOT) go install github.com/firecracker-microvm/firecracker-go-sdk/cni/cmd/tc-redirect-tap @@ -157,7 +161,7 @@ $(FCNET_CONFIG): cp tools/demo/fcnet.conflist $(FCNET_CONFIG) .PHONY: demo-network -demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG) +demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(FIREWALL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG) ########################## # Firecracker submodule diff --git a/docs/getting-started.md b/docs/getting-started.md index acb1dc77e..097c7f0be 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -38,15 +38,11 @@ You need to have the following things in order to use firecracker-containerd: * git -* The Firecracker binary with the optional `vsock` feature enabled. This - feature requires building from source; instructions for doing so are in the - [Firecracker getting started guide](https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md#building-from-source) * A root filesystem image (you can use the one [described here](https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md#running-firecracker) as `hello-rootfs.ext4`). * A recent installation of [Docker CE](https://docker.com). * Go 1.11 or later, which you can download from [here](https://golang.org/dl/). -* Rust 1.32 (and Cargo), which you can download from [here](https://rustup.rs/). ## Setup @@ -279,28 +275,41 @@ previously cloned firecracker-containerd repository: $ sudo make demo-network ``` -You can check the Makefile to see exactly what is installed and where, but for a +You can check the Makefile to see exactly what is installed and where, but for a quick summary: -* [`ptp` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) - - Creates a [veth](http://man7.org/linux/man-pages/man4/veth.4.html) pair with - one end in a private network namespace and the other end in the host's network namespace. +* [`ptp` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) + - Creates a [veth](http://man7.org/linux/man-pages/man4/veth.4.html) pair with + one end in a private network namespace and the other end in the host's network + namespace. * [`host-local` CNI plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) - - Manages IP allocations of network devices present on the local machine by + - Manages IP allocations of network devices present on the local machine by vending them from a statically defined subnet. +* [`firewall` CNI + plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/firewall) + - Sets up firewall rules on the host that allows traffic to/from VMs via the host + network. * [`tc-redirect-tap` CNI - plugin](https://github.com/firecracker-microvm/firecracker-go-sdk/tree/master/cni) + plugin](https://github.com/firecracker-microvm/firecracker-go-sdk/tree/master/cni) - A CNI plugin that adapts other CNI plugins to be usable by Firecracker VMs. - [See this doc for more details](networking.md). It is used here to adapt veth + [See this doc for more details](networking.md). It is used here to adapt veth devices created by the `ptp` plugin to tap devices provided to VMs. -* [`fcnet.conflist`](../tools/demo/fcnet.conflist) - A sample CNI configuration - file that defines a `fcnet` network created via the `ptp`, `host-local` and +* [`fcnet.conflist`](../tools/demo/fcnet.conflist) - A sample CNI configuration + file that defines a `fcnet` network created via the `ptp`, `host-local` and `tc-redirect-tap` plugins - -After those dependencies are installed, an update to the firecracker-containerd -configuration file is required for VMs to use the `fcnet` CNI-configuration as -their default way of generating network interfaces. Just include the following ` -default_network_interfaces` key in your runtime configuration file (by default + - Note that, by default, the nameserver configuration within your host's + `/etc/resolv.conf` will be parsed and provided to VMs as their nameserver + configuration. This can cause problems if your host is using a systemd + resolver or other resolver that operates on localhost (which results in the + VM using its own localhost as the nameserver instead of your host's). This + situation may require manual tweaking of the default CNI configuration, such + as specifying [static DNS configuration as part of the `ptp` plugin]( + https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp#network-configuration-reference). + +After those dependencies are installed, an update to the firecracker-containerd +configuration file is required for VMs to use the `fcnet` CNI-configuration as +their default way of generating network interfaces. Just include the following +`default_network_interfaces` key in your runtime configuration file (by default at `/etc/containerd/firecracker-runtime.json`): ```json "default_network_interfaces": [ @@ -313,19 +322,6 @@ at `/etc/containerd/firecracker-runtime.json`): ] ``` -After that, start up a container (as described in the above Usage section) and -try pinging your host IP. - -At the time of this writing, there is a bug in the ptp plugin that prevents the -DNS settings from the IPAM plugin being propagated. This is being addressed, but -until that time DNS resolution will require users manually tweak the installed -CNI configuration to specify static DNS nameservers appropriate to their local -network in [the `dns` section of the PTP plugin](https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp#network-configuration-reference) - -While your host's IP should always be reachable from the VM given the above -networking setup, your VM may or may not have outbound internet access depending -on the details of your host's network. The ptp plugin attempts to setup iptables -rules to allow the VM's traffic to be forwarded on your host's network but may -not be able to if there are pre-existing iptables rules that overlap. In those -cases, granting your VM outbound internet access may require customization of -the CNI configuration past what's installed above. +After that, start up a container (as described in the above Usage section) and +try pinging any IP available on your host. If your host has internet access, +you should also be able to access the internet from the container too. diff --git a/tools/demo/fcnet.conflist b/tools/demo/fcnet.conflist index 2459b3eec..59fafd97f 100644 --- a/tools/demo/fcnet.conflist +++ b/tools/demo/fcnet.conflist @@ -1,5 +1,5 @@ { - "cniVersion": "0.3.1", + "cniVersion": "0.4.0", "name": "fcnet", "plugins": [ { @@ -12,6 +12,9 @@ "resolvConf": "/etc/resolv.conf" } }, + { + "type": "firewall" + }, { "type": "tc-redirect-tap" }