aboutsummaryrefslogtreecommitdiff
path: root/libpod/networking.go
blob: 5118b972a98347e3de125d86331bc24ba31850cd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package libpod

import (
	"net"

	cnitypes "github.com/containernetworking/cni/pkg/types/current"
	"github.com/containernetworking/plugins/pkg/ns"
	"github.com/cri-o/ocicni/pkg/ocicni"
	"github.com/pkg/errors"
	"github.com/projectatomic/libpod/utils"
	"github.com/sirupsen/logrus"
	"strings"
)

// Get an OCICNI network config
func getPodNetwork(id, name, nsPath string, ports []ocicni.PortMapping) ocicni.PodNetwork {
	return ocicni.PodNetwork{
		Name:         name,
		Namespace:    name, // TODO is there something else we should put here? We don't know about Kube namespaces
		ID:           id,
		NetNS:        nsPath,
		PortMappings: ports,
	}
}

// Create and configure a new network namespace for a container
func (r *Runtime) createNetNS(ctr *Container) (err error) {
	ctrNS, err := ns.NewNS()
	if err != nil {
		return errors.Wrapf(err, "error creating network namespace for container %s", ctr.ID())
	}
	defer func() {
		if err != nil {
			if err2 := ctrNS.Close(); err2 != nil {
				logrus.Errorf("Error closing partially created network namespace for container %s: %v", ctr.ID(), err2)
			}
		}
	}()

	logrus.Debugf("Made network namespace at %s for container %s", ctrNS.Path(), ctr.ID())
	podNetwork := getPodNetwork(ctr.ID(), ctr.Name(), ctrNS.Path(), ctr.config.PortMappings)

	result, err := r.netPlugin.SetUpPod(podNetwork)
	if err != nil {
		return errors.Wrapf(err, "error configuring network namespace for container %s", ctr.ID())
	}
	defer func() {
		if err != nil {
			if err2 := r.netPlugin.TearDownPod(podNetwork); err2 != nil {
				logrus.Errorf("Error tearing down partially created network namespace for container %s: %v", ctr.ID(), err2)
			}
		}
	}()

	logrus.Debugf("Response from CNI plugins: %v", result.String())

	resultStruct, err := cnitypes.GetResult(result)
	if err != nil {
		return errors.Wrapf(err, "error parsing result from CNI plugins")
	}

	ctr.state.NetNS = ctrNS
	ctr.state.IPs = resultStruct.IPs
	ctr.state.Routes = resultStruct.Routes

	// We need to temporarily use iptables to allow the container
	// to resolve DNS until this issue is fixed upstream.
	// https://github.com/containernetworking/plugins/pull/75
	if resultStruct.IPs != nil {
		for _, ip := range resultStruct.IPs {
			iptablesCmd := iptablesDNS("-I", ip.Address.IP.String())
			logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " "))
			_, err := utils.ExecCmd("iptables", iptablesCmd...)
			if err != nil {
				logrus.Error(err)
			}
		}
	}
	return nil
}

// iptablesDNS accepts an arg (-I|-D) and IP address that generates the
// iptables command to be run
func iptablesDNS(arg, ip string) []string {
	return []string{"-t", "filter", arg, "FORWARD", "-s", ip, "!", "-o", ip, "-j", "ACCEPT"}
}

// Join an existing network namespace
func joinNetNS(path string) (ns.NetNS, error) {
	ns, err := ns.GetNS(path)
	if err != nil {
		return nil, errors.Wrapf(err, "error retrieving network namespace at %s", path)
	}

	return ns, nil
}

// Get a container's IP address
func (r *Runtime) getContainerIP(ctr *Container) (net.IP, error) {
	if ctr.state.NetNS == nil {
		return nil, errors.Wrapf(ErrInvalidArg, "container %s has no network namespace, cannot get IP", ctr.ID())
	}

	podNetwork := getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.PortMappings)

	ipStr, err := r.netPlugin.GetPodNetworkStatus(podNetwork)
	if err != nil {
		return nil, errors.Wrapf(err, "error retrieving network status of container %s", ctr.ID())
	}

	ip := net.ParseIP(ipStr)
	if ip == nil {
		return nil, errors.Wrapf(ErrInternal, "error parsing IP address %s for container %s", ipStr, ctr.ID())
	}

	return ip, nil
}

// Tear down a network namespace
func (r *Runtime) teardownNetNS(ctr *Container) error {
	if ctr.state.NetNS == nil {
		// The container has no network namespace, we're set
		return nil
	}

	// Because we are using iptables to allow the container to resolve DNS
	// on per IP address, we also need to try to remove the iptables rule
	// on cleanup. Remove when https://github.com/containernetworking/plugins/pull/75
	// is merged.
	for _, ip := range ctr.state.IPs {
		iptablesCmd := iptablesDNS("-D", ip.Address.IP.String())
		logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " "))
		_, err := utils.ExecCmd("iptables", iptablesCmd...)
		if err != nil {
			logrus.Error(err)
		}
	}

	logrus.Debugf("Tearing down network namespace at %s for container %s", ctr.state.NetNS.Path(), ctr.ID())

	podNetwork := getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.PortMappings)

	// The network may have already been torn down, so don't fail here, just log
	if err := r.netPlugin.TearDownPod(podNetwork); err != nil {
		logrus.Errorf("Failed to tear down network namespace for container %s: %v", ctr.ID(), err)
	}

	if err := ctr.state.NetNS.Close(); err != nil {
		return errors.Wrapf(err, "error closing network namespace for container %s", ctr.ID())
	}

	ctr.state.NetNS = nil

	return nil
}