summaryrefslogtreecommitdiff
path: root/libpod/network
Commit message (Collapse)AuthorAge
* network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fix netavark error handling and teardown issuePaul Holzinger2021-11-22
| | | | | | | | | | | | | | The return error was not returned by podman , instead a different error was created. Also make sure to free assigned ips on an error to not leak them. Lastly podman container cleanup uses the default network backend instead of the provided one, we need to add `--network-backend` to the exit command. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Force iptables driver for netavark testsPaul Holzinger2021-11-19
| | | | | | | | Firewalld cannot be used because it can connect to the dbus api but talks to firewalld in the host namespace. This will affact your host badly and also causes tests to fail. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Make sure netavark output is logged to the syslogPaul Holzinger2021-11-19
| | | | | | | Create a custom writer which logs the netavark output to logrus. This will log to the syslog when it is enabled. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* rename libpod nettypes fieldsPaul Holzinger2021-11-16
| | | | | | | | | | Some field names are confusing. Change them so that they make more sense to the reader. Since these fields are only in the main branch we can safely rename them without worrying about backwards compatibility. Note we have to change the field names in netavark too. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman machine improve port forwardingPaul Holzinger2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | This commits adds port forwarding logic directly into podman. The podman-machine cni plugin is no longer needed. The following new features are supported: - works with cni, netavark and slirp4netns - ports can use the hostIP to bind instead of hard coding 0.0.0.0 - gvproxy no longer listens on 0.0.0.0:7777 (requires a new gvproxy version) - support the udp protocol With this we no longer need podman-machine-cni and should remove it from the packaging. There is also a change to make sure we are backwards compatible with old config which include this plugin. Fixes #11528 Fixes #11728 [NO NEW TESTS NEEDED] We have no podman machine test at the moment. Please test this manually on your system. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add failing run test for netavarkPaul Holzinger2021-11-11
| | | | Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add more netavark testsPaul Holzinger2021-11-11
| | | | Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* select network backend based on configPaul Holzinger2021-11-11
| | | | | | | You can change the network backendend in containers.conf supported values are "cni" and "netavark". Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fix RUST_LOG envar for netavarkPaul Holzinger2021-11-11
| | | | | | | | THe rust netlink library is very verbose. It contains way to much debug and trave logs. We can set `RUST_LOG=netavark=<level>` to make sure this log level only applies to netavark and not the libraries. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* netavark IPAM assignmentPaul Holzinger2021-11-11
| | | | | | | | | | | | | | | | Add a new boltdb to handle IPAM assignment. The db structure is the following: Each network has their own bucket with the network name as bucket key. Inside the network bucket there is an ID bucket which maps the container ID (key) to a json array of ip addresses (value). The network bucket also has a bucket for each subnet, the subnet is used as key. Inside the subnet bucket an ip is used as key and the container ID as value. The db should be stored on a tmpfs to ensure we always have a clean state after a reboot. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* netavark network interfacePaul Holzinger2021-11-11
| | | | | | | | | Implement a new network interface for netavark. For now only bridge networking is supported. The interface can create/list/inspect/remove networks. For setup and teardown netavark will be invoked. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Make networking code reusablePaul Holzinger2021-11-11
| | | | | | | | | | To prevent code duplication when creating new network backends move reusable code into a separate internal package. This allows all network backends to use the same code as long as they implement the new NetUtil interface. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fix swagger definition for the new mac address typePaul Holzinger2021-11-05
| | | | | | | | | | | | | | The new mac address type broke the api docs. While we could successfully generate the swagger file it could not be viewed in a browser. The problem is that the swagger generation create two type definitions with the name `HardwareAddr` and this pointed back to itself. Thus the render process was stucked in an endless loop. To fix this manually rename the new type to MacAddress and overwrite the types to string because the json unmarshaller accepts the mac as string. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* MAC address json unmarshal should allow stringsPaul Holzinger2021-11-03
| | | | | | | | | Create a new mac address type which supports json marshal/unmarshal from and to string. This change is backwards compatible with the previous versions as the unmarshal method still accepts the old byte array or base64 encoded string. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Document to not set K8S envars for CNIPaul Holzinger2021-10-26
| | | | | | | Setting these environment variables can cause issues with custom CNI plugins, see #12083. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Replace 'an user' => 'a user'Stefan Weil2021-10-24
| | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Merge pull request #11949 from Luap99/net-rangeOpenShift Merge Robot2021-10-13
|\ | | | | CNI: fix network create --ip-range
| * CNI: fix network create --ip-rangePaul Holzinger2021-10-12
| | | | | | | | | | | | | | The --ip-range option did not work correctly. The endIP was accidentally assigned to the start IP. New tests are added to make sure it works. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | codespell codeDaniel J Walsh2021-10-12
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* CNI networks: reload networks if neededPaul Holzinger2021-10-04
| | | | | | | | | | | | | | | | | | | | The current implementation of the CNI network interface only loads the networks on the first call and saves them in a map. This is done to safe performance and not having to reload all configs every time which will be costly for many networks. The problem with this approach is that if a network is created by another process it will not be picked up by the already running podman process. This is not a problem for the short lived podman commands but it is problematic for the podman service. To make sure we always have the actual networks store the mtime of the config directory. If it changed since the last read we have to read again. Fixes #11828 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11751 from Luap99/net-aliasOpenShift Merge Robot2021-09-28
|\ | | | | always add short container id as net alias
| * move network alias validation to container createPaul Holzinger2021-09-28
| | | | | | | | | | | | | | | | | | | | Podman 4.0 currently errors when you use network aliases for a network which has dns disabled. Because the error happens on network setup this can cause regression for old working containers. The network backend should not validate this. Instead podman should check this at container create time and also for network connect. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * always add short container id as net aliasPaul Holzinger2021-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches what docker does. Also make sure the net aliases are also shown when the container is stopped. docker-compose uses this special alias entry to check if it is already correctly connected to the network. [1] Because we do not support static ips on network connect at the moment calling disconnect && connect will loose the static ip. Fixes #11748 [1] https://github.com/docker/compose/blob/0bea52b18dda3de8c28fcfb0c80cc08b8950645e/compose/service.py#L663-L667 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | CNI: network remove do not error for ENOENTPaul Holzinger2021-09-27
|/ | | | | | | | Make podman network rm more robust by checking for ENOENT if we cannot remove the config file. If it does not exists there is no reason to error. This is especially useful for podman network prune. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* rootful: do not set XDG_RUNTIME_DIR for cni pluginsPaul Holzinger2021-09-24
| | | | | | | | | | | | | | | The dnsname plugin tries to use XDG_RUNTIME_DIR to store files. podman run will have XDG_RUNTIME_DIR set and thus the cni plugin can use it. The problem is that XDG_RUNTIME_DIR is unset for the conmon process for rootful users. This causes issues since the cleanup process is spawned by conmon and thus not have XDG_RUNTIME_DIR set to same value as podman run. Because of it dnsname will not find the config files and cannot correctly cleanup. To fix this we should also unset XDG_RUNTIME_DIR for the cni plugins as rootful. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* standardize logrus messages to upper caseDaniel J Walsh2021-09-22
| | | | | | | | Remove ERROR: Error stutter from logrus messages also. [ NO TESTS NEEDED] This is just code cleanup. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #11629 from Luap99/CNI-1.0OpenShift Merge Robot2021-09-22
|\ | | | | Bump CNI to v1.0.1
| * Bump CNI to v1.0.1Paul Holzinger2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update CNI so we can match wrapped errors. This should silence ENOENT warnings when trying to read the cni conflist files. Fixes #10926 Because CNI v1.0.0 contains breaking changes we have to change some import paths. Also we cannot update the CNI version used for the conflist files created by `podman network create` because this would require at least containernetwork-plugins v1.0.1 and a updated dnsname plugin. Because this will take a while until it lands in most distros we should not use this version. So keep using v0.4.0 for now. The update from checkpoint-restore/checkpointctl is also required to make sure it no longer uses CNI to read the network status. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | net types: remove omitempty from required fieldsPaul Holzinger2021-09-22
|/ | | | | | | | | This will make reading the fields easier in rust because we can guarantee that the fields will be present in the json output. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* CNI: add ipvlan driverPaul Holzinger2021-09-16
| | | | | | | | | Add support for the ipvlan cni plugin. This allows us to create, inspect and list ipvlan networks correctly. Fixes #10478 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* CNI: network create support macvlan modesPaul Holzinger2021-09-16
| | | | | | | | Support setting the macvlan mode with `podman network create -d macvlan --opt mode=bridge`. This will correctly set the specified macvlan mode in the cni conflist file. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add Drivers method to the Network InterfacePaul Holzinger2021-09-15
| | | | | | | Drivers should return the list of supported network drivers by this plugin. This is useful for podman info. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Drop OCICNI dependencyPaul Holzinger2021-09-15
| | | | | | | | | | | We do not use the ocicni code anymore so let's get rid of it. Only the port struct is used but we can copy this into libpod network types so we can debloat the binary. The next step is to remove the OCICNI port mapping form the container config and use the better PortMapping struct everywhere. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Wire network interface into libpodPaul Holzinger2021-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make use of the new network interface in libpod. This commit contains several breaking changes: - podman network create only outputs the new network name and not file path. - podman network ls shows the network driver instead of the cni version and plugins. - podman network inspect outputs the new network struct and not the cni conflist. - The bindings and libpod api endpoints have been changed to use the new network structure. The container network status is stored in a new field in the state. The status should be received with the new `c.getNetworkStatus`. This will migrate the old status to the new format. Therefore old containers should contine to work correctly in all cases even when network connect/ disconnect is used. New features: - podman network reload keeps the ip and mac for more than one network. - podman container restore keeps the ip and mac for more than one network. - The network create compat endpoint can now use more than one ipam config. The man pages and the swagger doc are updated to reflect the latest changes. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* cni network configs set ipv6 enables correctlyPaul Holzinger2021-09-15
| | | | | | | When configs are loaded from disk we need to check if they contain a ipv6 subnet and set ipv6 enables to true in this case. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* default network: do not validate the used subnetsPaul Holzinger2021-09-15
| | | | | | | | | | | The default network should not be validated against used subnets, we have to ensure that this network can always be created even when a subnet is already used on the host. This could happen if you run a container on this net, then the cni interface will be created on the host and "block" this subnet from being used again. Therefore the next podman command tries to create the default net again and it would fail because it thinks the network is used on the host. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network create: validate the input subnetPaul Holzinger2021-09-15
| | | | | | | Check that the given subnet does not conflict with existing ones (other configs or host interfaces). Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Drop dependency on iproutePaul Holzinger2021-09-02
| | | | | | | | | | | We only use the `ip` util to remove a network interface. We can do this directly via the netlink lib, no need to call a external binary. [NO TESTS NEEDED] Fixes #11403 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Globally replace http:// with https://Daniel J Walsh2021-08-27
| | | | | | [NO TESTS NEEDED] Hopefully existing tests will find issues. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Network interfacePaul Holzinger2021-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a new network interface to abstract CNI from libpod. The interface is implemented for the CNI backend but in the future we can add more backends. The code is structured in three new packages: - `libpod/network/types`: contains the interface definition and the necessary types for it. - `libpod/network/cni` contains the interface implementation for the CNI backend. - `libpod/network/util` a set of utility functions related to networking. The CNI package uses ginkgo style unit tests. To test Setup/Teardown the test must be run as root. Each test will run in their own namespace to make the test independent from the host environment. New features with the CNI backend: - The default network will be created in memory if it does not exists on disk. - It can set more than one static IP per container network. - Networks are loaded once from disk and only if this interface is used, e.g. for commands such as `podman info` networks are not loaded. This reduces unnecessary disk IO. This commit only adds the interface it is not wired into libpod. This requires a lot of breaking changes which will be done in a followup commit. Once this is integrated into libpod the current network code under `libpod/network` should be removed. Also the dependency on OCICNI should be dropped. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* dual-stack network: fix duplicated subnet assignmentPaul Holzinger2021-07-26
| | | | | | | | | Make sure podman network create reads all subnets from existing cni configs and not only the first one. Fixes #11032 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fix network create macvlan with subnet optionPaul Holzinger2021-05-20
| | | | | | | | | | Creating a macvlan network with the subnet or ipRange option should set the ipam plugin type to `host-local`. We also have to insert the default route. Fixes #10283 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Detect if in podman machine virtual vmBrent Baude2021-04-30
| | | | | | | | | | | | When in podman machine virtual machines, podman needs to be able to detect as such. One implementation for this is when creating networks, the podman-machine cni plugin needs to be added to the configuration. This PR also includes the latest containers-common. [NO TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Unification of until filter across list/prune endpointsJakub Guzik2021-03-24
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Unification of label filter across list/prune endpointsJakub Guzik2021-03-24
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* network prune filters for http compat and libpod apiJakub Guzik2021-03-18
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Split libpod/network packagePaul Holzinger2021-03-15
| | | | | | | | | | | | The `libpod/network` package should only be used on the backend and not the client. The client used this package only for two functions so move them into a new `pkg/network` package. This is needed so we can put linux only code into `libpod/network`, see #9710. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Fix podman network IDs handlingPaul Holzinger2021-02-22
| | | | | | | | | | | | | The libpod network logic knows about networks IDs but OCICNI does not. We cannot pass the network ID to OCICNI. Instead we need to make sure we only use network names internally. This is also important for libpod since we also only store the network names in the state. If we would add a ID there the same networks could accidentally be added twice. Fixes #9451 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>