diff options
| author | Matthew Heon <matthew.heon@pm.me> | 2021-02-01 13:53:14 -0500 |
|---|---|---|
| committer | Matthew Heon <matthew.heon@pm.me> | 2021-02-02 10:35:23 -0500 |
| commit | 931ea939ac85bc0e64d12dc34ac920e9e91c4277 (patch) | |
| tree | e7949abd05b7f8256a23dfc6ba1c5ae1d81cbf4c | |
| parent | 182e8414d406d3058e985104af98f30a9e8f56fa (diff) | |
| download | podman-931ea939ac85bc0e64d12dc34ac920e9e91c4277.tar.gz podman-931ea939ac85bc0e64d12dc34ac920e9e91c4277.tar.bz2 podman-931ea939ac85bc0e64d12dc34ac920e9e91c4277.zip | |
Allow pods to use --net=none
We need an extra field in the pod infra container config. We may
want to reevaluate that struct at some point, as storing network
modes as bools will rapidly become unsustainable, but that's a
discussion for another time. Otherwise, straightforward plumbing.
Fixes #9165
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| -rw-r--r-- | libpod/options.go | 29 | ||||
| -rw-r--r-- | libpod/pod.go | 1 | ||||
| -rw-r--r-- | libpod/runtime_pod_infra_linux.go | 14 | ||||
| -rw-r--r-- | pkg/specgen/generate/pod_create.go | 3 | ||||
| -rw-r--r-- | test/e2e/pod_create_test.go | 20 |
5 files changed, 55 insertions, 12 deletions
diff --git a/libpod/options.go b/libpod/options.go index c7bac7e1f..20f62ee37 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -2190,13 +2190,37 @@ func WithPodNetworks(networks []string) PodCreateOption { } } +// WithPodNoNetwork tells the pod to disable external networking. +func WithPodNoNetwork() PodCreateOption { + return func(pod *Pod) error { + if pod.valid { + return define.ErrPodFinalized + } + + if !pod.config.InfraContainer.HasInfraContainer { + return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod networking as no infra container is being created") + } + + if len(pod.config.InfraContainer.PortBindings) > 0 || + pod.config.InfraContainer.StaticIP != nil || + pod.config.InfraContainer.StaticMAC != nil || + len(pod.config.InfraContainer.Networks) > 0 || + pod.config.InfraContainer.HostNetwork { + return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod network if network-related configuration is specified") + } + + pod.config.InfraContainer.NoNetwork = true + + return nil + } +} + // WithPodHostNetwork tells the pod to use the host's network namespace. func WithPodHostNetwork() PodCreateOption { return func(pod *Pod) error { if pod.valid { return define.ErrPodFinalized } - if !pod.config.InfraContainer.HasInfraContainer { return errors.Wrapf(define.ErrInvalidArg, "cannot configure pod host networking as no infra container is being created") } @@ -2204,7 +2228,8 @@ func WithPodHostNetwork() PodCreateOption { if len(pod.config.InfraContainer.PortBindings) > 0 || pod.config.InfraContainer.StaticIP != nil || pod.config.InfraContainer.StaticMAC != nil || - len(pod.config.InfraContainer.Networks) > 0 { + len(pod.config.InfraContainer.Networks) > 0 || + pod.config.InfraContainer.NoNetwork { return errors.Wrapf(define.ErrInvalidArg, "cannot set host network if network-related configuration is specified") } diff --git a/libpod/pod.go b/libpod/pod.go index c8f62ca18..784c2cf5e 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -93,6 +93,7 @@ type podState struct { type InfraContainerConfig struct { ConmonPidFile string `json:"conmonPidFile"` HasInfraContainer bool `json:"makeInfraContainer"` + NoNetwork bool `json:"noNetwork,omitempty"` HostNetwork bool `json:"infraHostNetwork,omitempty"` PortBindings []ocicni.PortMapping `json:"infraPortBindings"` StaticIP net.IP `json:"staticIP,omitempty"` diff --git a/libpod/runtime_pod_infra_linux.go b/libpod/runtime_pod_infra_linux.go index dd957527d..564851f4e 100644 --- a/libpod/runtime_pod_infra_linux.go +++ b/libpod/runtime_pod_infra_linux.go @@ -94,8 +94,16 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm } } - // Since user namespace sharing is not implemented, we only need to check if it's rootless - if !p.config.InfraContainer.HostNetwork { + switch { + case p.config.InfraContainer.HostNetwork: + if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil { + return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID()) + } + case p.config.InfraContainer.NoNetwork: + // Do nothing - we have a network namespace by default, + // but should not configure slirp. + default: + // Since user namespace sharing is not implemented, we only need to check if it's rootless netmode := "bridge" if isRootless || p.config.InfraContainer.Slirp4netns { netmode = "slirp4netns" @@ -106,8 +114,6 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm // PostConfigureNetNS should not be set since user namespace sharing is not implemented // and rootless networking no longer supports post configuration setup options = append(options, WithNetNS(p.config.InfraContainer.PortBindings, false, netmode, p.config.InfraContainer.Networks)) - } else if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil { - return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID()) } // For each option in InfraContainerConfig - if set, pass into diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go index 43caf0fe9..645bf7a47 100644 --- a/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go @@ -102,6 +102,9 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime) ([]libpod case specgen.Slirp: logrus.Debugf("Pod will use slirp4netns") options = append(options, libpod.WithPodSlirp4netns(p.NetworkOptions)) + case specgen.NoNetwork: + logrus.Debugf("Pod will not use networking") + options = append(options, libpod.WithPodNoNetwork()) default: return nil, errors.Errorf("pods presently do not support network mode %s", p.NetNS.NSMode) } diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go index 575f9df68..9818c4f65 100644 --- a/test/e2e/pod_create_test.go +++ b/test/e2e/pod_create_test.go @@ -478,12 +478,7 @@ entrypoint ["/fromimage"] }) It("podman create with unsupported network options", func() { - podCreate := podmanTest.Podman([]string{"pod", "create", "--network", "none"}) - podCreate.WaitWithDefaultTimeout() - Expect(podCreate.ExitCode()).To(Equal(125)) - Expect(podCreate.ErrorToString()).To(ContainSubstring("pods presently do not support network mode none")) - - podCreate = podmanTest.Podman([]string{"pod", "create", "--network", "container:doesnotmatter"}) + podCreate := podmanTest.Podman([]string{"pod", "create", "--network", "container:doesnotmatter"}) podCreate.WaitWithDefaultTimeout() Expect(podCreate.ExitCode()).To(Equal(125)) Expect(podCreate.ErrorToString()).To(ContainSubstring("pods presently do not support network mode container")) @@ -493,4 +488,17 @@ entrypoint ["/fromimage"] Expect(podCreate.ExitCode()).To(Equal(125)) Expect(podCreate.ErrorToString()).To(ContainSubstring("pods presently do not support network mode path")) }) + + It("podman pod create with --net=none", func() { + podName := "testPod" + podCreate := podmanTest.Podman([]string{"pod", "create", "--network", "none", "--name", podName}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "ip", "-o", "-4", "addr"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("inet 127.0.0.1/8 scope host lo")) + Expect(len(session.OutputToStringArray())).To(Equal(1)) + }) }) |