diff options
| author | Matthew Heon <matthew.heon@pm.me> | 2020-06-09 17:10:37 -0400 |
|---|---|---|
| committer | Paul Holzinger <paul.holzinger@web.de> | 2020-12-07 19:26:23 +0100 |
| commit | b0286d6b43ebec367c0d9ed87bc6566d76ece8f8 (patch) | |
| tree | a0629a333e8b1c28dbd78ad75a8a4ccc537fb1f8 /libpod/container_api.go | |
| parent | e74072e742a427fbd8577fdc98daf1133cf13c48 (diff) | |
| download | podman-b0286d6b43ebec367c0d9ed87bc6566d76ece8f8.tar.gz podman-b0286d6b43ebec367c0d9ed87bc6566d76ece8f8.tar.bz2 podman-b0286d6b43ebec367c0d9ed87bc6566d76ece8f8.zip | |
Implement pod-network-reload
This adds a new command, 'podman network reload', to reload the
networks of existing containers, forcing recreation of firewall
rules after e.g. `firewall-cmd --reload` wipes them out.
Under the hood, this works by calling CNI to tear down the
existing network, then recreate it using identical settings. We
request that CNI preserve the old IP and MAC address in most
cases (where the container only had 1 IP/MAC), but there will be
some downtime inherent to the teardown/bring-up approach. The
architecture of CNI doesn't really make doing this without
downtime easy (or maybe even possible...).
At present, this only works for root Podman, and only locally.
I don't think there is much of a point to adding remote support
(this is very much a local debugging command), but I think adding
rootless support (to kill/recreate slirp4netns) could be
valuable.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Diffstat (limited to 'libpod/container_api.go')
| -rw-r--r-- | libpod/container_api.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/libpod/container_api.go b/libpod/container_api.go index 6a7ddc421..1b33f16b4 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -639,6 +639,32 @@ func (c *Container) Sync() error { return nil } +// ReloadNetwork reconfigures the container's network. +// Technically speaking, it will tear down and then reconfigure the container's +// network namespace, which will result in all firewall rules being recreated. +// It is mostly intended to be used in cases where the system firewall has been +// reloaded, and existing rules have been wiped out. It is expected that some +// downtime will result, as the rules are destroyed as part of this process. +// At present, this only works on root containers; it may be expanded to restart +// slirp4netns in the future to work with rootless containers as well. +// Requires that the container must be running or created. +func (c *Container) ReloadNetwork() error { + if !c.batched { + c.lock.Lock() + defer c.lock.Unlock() + + if err := c.syncContainer(); err != nil { + return err + } + } + + if !c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning) { + return errors.Wrapf(define.ErrCtrStateInvalid, "cannot reload network unless container network has been configured") + } + + return c.reloadNetwork() +} + // Refresh is DEPRECATED and REMOVED. func (c *Container) Refresh(ctx context.Context) error { // This has been deprecated for a long while, and is in the process of |