aboutsummaryrefslogtreecommitdiff
path: root/libkpod/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'libkpod/sandbox')
-rw-r--r--libkpod/sandbox/sandbox.go484
1 files changed, 484 insertions, 0 deletions
diff --git a/libkpod/sandbox/sandbox.go b/libkpod/sandbox/sandbox.go
new file mode 100644
index 000000000..d7d6569d9
--- /dev/null
+++ b/libkpod/sandbox/sandbox.go
@@ -0,0 +1,484 @@
+package sandbox
+
+import (
+ "crypto/rand"
+ "errors"
+ "fmt"
+ "os"
+ "path/filepath"
+ "sync"
+
+ "github.com/containernetworking/plugins/pkg/ns"
+ "github.com/docker/docker/pkg/mount"
+ "github.com/docker/docker/pkg/symlink"
+ "github.com/kubernetes-incubator/cri-o/oci"
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
+ "k8s.io/apimachinery/pkg/fields"
+ pb "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
+ "k8s.io/kubernetes/pkg/kubelet/network/hostport"
+)
+
+// NetNs handles data pertaining a network namespace
+type NetNs struct {
+ sync.Mutex
+ ns ns.NetNS
+ symlink *os.File
+ closed bool
+ restored bool
+}
+
+func (ns *NetNs) symlinkCreate(name string) error {
+ b := make([]byte, 4)
+ _, randErr := rand.Reader.Read(b)
+ if randErr != nil {
+ return randErr
+ }
+
+ nsName := fmt.Sprintf("%s-%x", name, b)
+ symlinkPath := filepath.Join(NsRunDir, nsName)
+
+ if err := os.Symlink(ns.ns.Path(), symlinkPath); err != nil {
+ return err
+ }
+
+ fd, err := os.Open(symlinkPath)
+ if err != nil {
+ if removeErr := os.RemoveAll(symlinkPath); removeErr != nil {
+ return removeErr
+ }
+
+ return err
+ }
+
+ ns.symlink = fd
+
+ return nil
+}
+
+func (ns *NetNs) symlinkRemove() error {
+ if err := ns.symlink.Close(); err != nil {
+ return err
+ }
+
+ return os.RemoveAll(ns.symlink.Name())
+}
+
+func isSymbolicLink(path string) (bool, error) {
+ fi, err := os.Lstat(path)
+ if err != nil {
+ return false, err
+ }
+
+ return fi.Mode()&os.ModeSymlink == os.ModeSymlink, nil
+}
+
+// NetNsGet returns the NetNs associated with the given nspath and name
+func NetNsGet(nspath, name string) (*NetNs, error) {
+ if err := ns.IsNSorErr(nspath); err != nil {
+ return nil, ErrClosedNetNS
+ }
+
+ symlink, symlinkErr := isSymbolicLink(nspath)
+ if symlinkErr != nil {
+ return nil, symlinkErr
+ }
+
+ var resolvedNsPath string
+ if symlink {
+ path, err := os.Readlink(nspath)
+ if err != nil {
+ return nil, err
+ }
+ resolvedNsPath = path
+ } else {
+ resolvedNsPath = nspath
+ }
+
+ netNS, err := ns.GetNS(resolvedNsPath)
+ if err != nil {
+ return nil, err
+ }
+
+ netNs := &NetNs{ns: netNS, closed: false, restored: true}
+
+ if symlink {
+ fd, err := os.Open(nspath)
+ if err != nil {
+ return nil, err
+ }
+
+ netNs.symlink = fd
+ } else {
+ if err := netNs.symlinkCreate(name); err != nil {
+ return nil, err
+ }
+ }
+
+ return netNs, nil
+}
+
+// HostNetNsPath returns the current network namespace for the host
+func HostNetNsPath() (string, error) {
+ netNS, err := ns.GetCurrentNS()
+ if err != nil {
+ return "", err
+ }
+
+ defer netNS.Close()
+ return netNS.Path(), nil
+}
+
+// Sandbox contains data surrounding kubernetes sandboxes on the server
+type Sandbox struct {
+ id string
+ namespace string
+ // OCI pod name (eg "<namespace>-<name>-<attempt>")
+ name string
+ // Kubernetes pod name (eg, "<name>")
+ kubeName string
+ logDir string
+ labels fields.Set
+ annotations map[string]string
+ infraContainer *oci.Container
+ containers oci.ContainerStorer
+ processLabel string
+ mountLabel string
+ netns *NetNs
+ metadata *pb.PodSandboxMetadata
+ shmPath string
+ cgroupParent string
+ privileged bool
+ trusted bool
+ resolvPath string
+ hostnamePath string
+ hostname string
+ portMappings []*hostport.PortMapping
+ stopped bool
+ // ipv4 or ipv6 cache
+ ip string
+}
+
+const (
+ // DefaultShmSize is the default shm size
+ DefaultShmSize = 64 * 1024 * 1024
+ // NsRunDir is the default directory in which running network namespaces
+ // are stored
+ NsRunDir = "/var/run/netns"
+ // PodInfraCommand is the default command when starting a pod infrastructure
+ // container
+ PodInfraCommand = "/pause"
+)
+
+var (
+ // ErrIDEmpty is the erro returned when the id of the sandbox is empty
+ ErrIDEmpty = errors.New("PodSandboxId should not be empty")
+ // ErrClosedNetNS is the error returned when the network namespace of the
+ // sandbox is closed
+ ErrClosedNetNS = errors.New("PodSandbox networking namespace is closed")
+)
+
+// New creates and populates a new pod sandbox
+// New sandboxes have no containers, no infra container, and no network namespaces associated with them
+// An infra container must be attached before the sandbox is added to the state
+func New(id, namespace, name, kubeName, logDir string, labels, annotations map[string]string, processLabel, mountLabel string, metadata *pb.PodSandboxMetadata, shmPath, cgroupParent string, privileged, trusted bool, resolvPath, hostname string, portMappings []*hostport.PortMapping) (*Sandbox, error) {
+ sb := new(Sandbox)
+ sb.id = id
+ sb.namespace = namespace
+ sb.name = name
+ sb.kubeName = kubeName
+ sb.logDir = logDir
+ sb.labels = labels
+ sb.annotations = annotations
+ sb.containers = oci.NewMemoryStore()
+ sb.processLabel = processLabel
+ sb.mountLabel = mountLabel
+ sb.metadata = metadata
+ sb.shmPath = shmPath
+ sb.cgroupParent = cgroupParent
+ sb.privileged = privileged
+ sb.trusted = trusted
+ sb.resolvPath = resolvPath
+ sb.hostname = hostname
+ sb.portMappings = portMappings
+
+ return sb, nil
+}
+
+// AddIP stores the ip in the sandbox
+func (s *Sandbox) AddIP(ip string) {
+ s.ip = ip
+}
+
+// IP returns the ip of the sandbox
+func (s *Sandbox) IP() string {
+ return s.ip
+}
+
+// ID returns the id of the sandbox
+func (s *Sandbox) ID() string {
+ return s.id
+}
+
+// Namespace returns the namespace for the sandbox
+func (s *Sandbox) Namespace() string {
+ return s.namespace
+}
+
+// Name returns the name of the sandbox
+func (s *Sandbox) Name() string {
+ return s.name
+}
+
+// KubeName returns the kubernetes name for the sandbox
+func (s *Sandbox) KubeName() string {
+ return s.kubeName
+}
+
+// LogDir returns the location of the logging directory for the sandbox
+func (s *Sandbox) LogDir() string {
+ return s.logDir
+}
+
+// Labels returns the labels associated with the sandbox
+func (s *Sandbox) Labels() fields.Set {
+ return s.labels
+}
+
+// Annotations returns a list of annotations for the sandbox
+func (s *Sandbox) Annotations() map[string]string {
+ return s.annotations
+}
+
+// InfraContainer returns the infrastructure container for the sandbox
+func (s *Sandbox) InfraContainer() *oci.Container {
+ return s.infraContainer
+}
+
+// Containers returns the ContainerStorer that contains information on all
+// of the containers in the sandbox
+func (s *Sandbox) Containers() oci.ContainerStorer {
+ return s.containers
+}
+
+// ProcessLabel returns the process label for the sandbox
+func (s *Sandbox) ProcessLabel() string {
+ return s.processLabel
+}
+
+// MountLabel returns the mount label for the sandbox
+func (s *Sandbox) MountLabel() string {
+ return s.mountLabel
+}
+
+// Metadata returns a set of metadata about the sandbox
+func (s *Sandbox) Metadata() *pb.PodSandboxMetadata {
+ return s.metadata
+}
+
+// ShmPath returns the shm path of the sandbox
+func (s *Sandbox) ShmPath() string {
+ return s.shmPath
+}
+
+// CgroupParent returns the cgroup parent of the sandbox
+func (s *Sandbox) CgroupParent() string {
+ return s.cgroupParent
+}
+
+// Privileged returns whether or not the containers in the sandbox are
+// privileged containers
+func (s *Sandbox) Privileged() bool {
+ return s.privileged
+}
+
+// Trusted returns whether or not the containers in the sandbox are trusted
+func (s *Sandbox) Trusted() bool {
+ return s.trusted
+}
+
+// ResolvPath returns the resolv path for the sandbox
+func (s *Sandbox) ResolvPath() string {
+ return s.resolvPath
+}
+
+// AddHostnamePath adds the hostname path to the sandbox
+func (s *Sandbox) AddHostnamePath(hostname string) {
+ s.hostnamePath = hostname
+}
+
+// HostnamePath retrieves the hostname path from a sandbox
+func (s *Sandbox) HostnamePath() string {
+ return s.hostnamePath
+}
+
+// Hostname returns the hsotname of the sandbox
+func (s *Sandbox) Hostname() string {
+ return s.hostname
+}
+
+// PortMappings returns a list of port mappings between the host and the sandbox
+func (s *Sandbox) PortMappings() []*hostport.PortMapping {
+ return s.portMappings
+}
+
+// AddContainer adds a container to the sandbox
+func (s *Sandbox) AddContainer(c *oci.Container) {
+ s.containers.Add(c.Name(), c)
+}
+
+// GetContainer retrieves a container from the sandbox
+func (s *Sandbox) GetContainer(name string) *oci.Container {
+ return s.containers.Get(name)
+}
+
+// RemoveContainer deletes a container from the sandbox
+func (s *Sandbox) RemoveContainer(c *oci.Container) {
+ s.containers.Delete(c.Name())
+}
+
+// SetInfraContainer sets the infrastructure container of a sandbox
+// Attempts to set the infrastructure container after one is already present will throw an error
+func (s *Sandbox) SetInfraContainer(infraCtr *oci.Container) error {
+ if s.infraContainer != nil {
+ return fmt.Errorf("sandbox already has an infra container")
+ } else if infraCtr == nil {
+ return fmt.Errorf("must provide non-nil infra container")
+ }
+
+ s.infraContainer = infraCtr
+
+ return nil
+}
+
+// RemoveInfraContainer removes the infrastructure container of a sandbox
+func (s *Sandbox) RemoveInfraContainer() {
+ s.infraContainer = nil
+}
+
+// NetNs retrieves the network namespace of the sandbox
+// If the sandbox uses the host namespace, nil is returned
+func (s *Sandbox) NetNs() ns.NetNS {
+ if s.netns == nil {
+ return nil
+ }
+
+ return s.netns.ns
+}
+
+// NetNsPath returns the path to the network namespace of the sandbox.
+// If the sandbox uses the host namespace, nil is returned
+func (s *Sandbox) NetNsPath() string {
+ if s.netns == nil {
+ return ""
+ }
+
+ return s.netns.symlink.Name()
+}
+
+// NetNsCreate creates a new network namespace for the sandbox
+func (s *Sandbox) NetNsCreate() error {
+ if s.netns != nil {
+ return fmt.Errorf("net NS already created")
+ }
+
+ netNS, err := ns.NewNS()
+ if err != nil {
+ return err
+ }
+
+ s.netns = &NetNs{
+ ns: netNS,
+ closed: false,
+ }
+
+ if err := s.netns.symlinkCreate(s.name); err != nil {
+ logrus.Warnf("Could not create nentns symlink %v", err)
+
+ if err1 := s.netns.ns.Close(); err1 != nil {
+ return err1
+ }
+
+ return err
+ }
+
+ return nil
+}
+
+// SetStopped sets the sandbox state to stopped.
+// This should be set after a stop operation succeeds
+// so that subsequent stops can return fast.
+func (s *Sandbox) SetStopped() {
+ s.stopped = true
+}
+
+// Stopped returns whether the sandbox state has been
+// set to stopped.
+func (s *Sandbox) Stopped() bool {
+ return s.stopped
+}
+
+// NetNsJoin attempts to join the sandbox to an existing network namespace
+// This will fail if the sandbox is already part of a network namespace
+func (s *Sandbox) NetNsJoin(nspath, name string) error {
+ if s.netns != nil {
+ return fmt.Errorf("sandbox already has a network namespace, cannot join another")
+ }
+
+ netNS, err := NetNsGet(nspath, name)
+ if err != nil {
+ return err
+ }
+
+ s.netns = netNS
+
+ return nil
+}
+
+// NetNsRemove removes the network namespace associated with the sandbox
+func (s *Sandbox) NetNsRemove() error {
+ if s.netns == nil {
+ logrus.Warn("no networking namespace")
+ return nil
+ }
+
+ s.netns.Lock()
+ defer s.netns.Unlock()
+
+ if s.netns.closed {
+ // netNsRemove() can be called multiple
+ // times without returning an error.
+ return nil
+ }
+
+ if err := s.netns.symlinkRemove(); err != nil {
+ return err
+ }
+
+ if err := s.netns.ns.Close(); err != nil {
+ return err
+ }
+
+ if s.netns.restored {
+ // we got namespaces in the form of
+ // /var/run/netns/cni-0d08effa-06eb-a963-f51a-e2b0eceffc5d
+ // but /var/run on most system is symlinked to /run so we first resolve
+ // the symlink and then try and see if it's mounted
+ fp, err := symlink.FollowSymlinkInScope(s.netns.ns.Path(), "/")
+ if err != nil {
+ return err
+ }
+ if mounted, err := mount.Mounted(fp); err == nil && mounted {
+ if err := unix.Unmount(fp, unix.MNT_DETACH); err != nil {
+ return err
+ }
+ }
+
+ if err := os.RemoveAll(s.netns.ns.Path()); err != nil {
+ return err
+ }
+ }
+
+ s.netns.closed = true
+ return nil
+}