f)firecracker-runc-config.jsonixup! Add support for netns

Signed-off-by: xibz <impactbchang@gmail.com>

Author: xibz

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/docker/go-events v0.0.0-20170721190031-9461782956ad // indirect
 	github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 // indirect
 	github.com/docker/go-units v0.3.3
-	github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf
+	github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191114205152-9e2ff62839b2
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384 // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible

go.sum

@@ -59,8 +59,8 @@ github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zF
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf h1:HlqW7e7IwSIHBHJg4gBN6Kz9afSnEmB3+9e4/iTbBTw=
-github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191108195453-43d336c3dcbf/go.mod h1:kW0gxvPpPvMukUxxTO9DrpSlScrtrTDGY3VgjAj/Qwc=
+github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191114205152-9e2ff62839b2 h1:Ab52E0UlBOmMIAK/igRycsxSAJVDBDMYq+Wr/n7z2E0=
+github.com/firecracker-microvm/firecracker-go-sdk v0.19.1-0.20191114205152-9e2ff62839b2/go.mod h1:kW0gxvPpPvMukUxxTO9DrpSlScrtrTDGY3VgjAj/Qwc=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=

runtime/cni_integ_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/containerd/pkg/ttrpcutil"
+	"github.com/firecracker-microvm/firecracker-go-sdk/cni/cmd/tc-redirect-tap/args"
 	"github.com/shirou/gopsutil/cpu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -95,8 +96,23 @@ func TestCNISupport_Isolated(t *testing.T) {
 					CNIConfig: &proto.CNIConfiguration{
 						NetworkName:   cniNetworkName,
 						InterfaceName: "veth0",
+						Args: []*proto.CNIConfiguration_CNIArg{
+							{
+								Key:   "IgnoreUnknown",
+								Value: "true",
+							},
+							{
+								Key:   args.TCRedirectTapUID,
+								Value: fmt.Sprintf("%d", jailerUID),
+							},
+							{
+								Key:   args.TCRedirectTapGID,
+								Value: fmt.Sprintf("%d", jailerGID),
+							},
+						},
 					},
 				}},
+				JailerConfig: &proto.JailerConfig{},
 			})
 			require.NoError(t, err, "failed to create vm")
 

runtime/runc_jailer.go

@@ -23,7 +23,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
-	"sync"
 	"syscall"
 
 	"github.com/firecracker-microvm/firecracker-go-sdk"
@@ -51,13 +50,11 @@ type runcJailer struct {
 	runcBinaryPath string
 	uid            uint32
 	gid            uint32
-	once           sync.Once
+	configSpec     specs.Spec
 }
 
 const firecrackerFileName = "firecracker"
 
-var configSpec *specs.Spec
-
 func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, runcBinPath string, uid, gid uint32) (*runcJailer, error) {
 	l := logger.WithField("ociBundlePath", ociBundlePath).
 		WithField("runcBinaryPath", runcBinPath)
@@ -71,6 +68,19 @@ func newRuncJailer(ctx context.Context, logger *logrus.Entry, ociBundlePath, run
 		gid:            gid,
 	}
 
+	spec := specs.Spec{}
+	var configBytes []byte
+	configBytes, err := ioutil.ReadFile(runcConfigPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read %s", runcConfigPath)
+	}
+
+	if err = json.Unmarshal(configBytes, &spec); err != nil {
+		return nil, errors.Wrapf(err, "failed to unmarshal %s", runcConfigPath)
+	}
+
+	j.configSpec = spec
+
 	rootPath := j.RootPath()
 
 	const mode = os.FileMode(0700)
@@ -109,7 +119,7 @@ func (j *runcJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.
 	client := firecracker.NewClient(machineConfig.SocketPath, j.logger, machineConfig.Debug)
 
 	if machineConfig.NetNS == "" {
-		if netns := getNetNS(configSpec); netns != "" {
+		if netns := getNetNS(j.configSpec); netns != "" {
 			machineConfig.NetNS = netns
 		}
 	}
@@ -370,47 +380,19 @@ func (j *runcJailer) jailerCommand(containerName string, isDebug bool) *exec.Cmd
 
 // overwriteConfig will set the proper default values if a field had not been set.
 func (j *runcJailer) overwriteConfig(cfg *Config, machineConfig *firecracker.Config, socketPath, configPath string) error {
-	var err error
-	j.once.Do(func() {
-		// here we attempt to cache the runc config. If the config has already been
-		// cached, we will return immediately
-		if configSpec != nil {
-			return
-		}
-
-		spec := specs.Spec{}
-		var configBytes []byte
-		configBytes, err = ioutil.ReadFile(configPath)
-		if err != nil {
-			return
-		}
-
-		if err = json.Unmarshal(configBytes, &spec); err != nil {
-			return
-		}
-
-		configSpec = &spec
-
-		if spec.Process.User.UID != 0 ||
-			spec.Process.User.GID != 0 {
-			err = fmt.Errorf(
-				"using UID %d and GID %d, these values must not be set",
-				spec.Process.User.UID,
-				spec.Process.User.GID,
-			)
-			return
-		}
-
-		spec = j.setDefaultConfigValues(cfg, socketPath, spec)
-		spec.Root.Path = rootfsFolder
-		spec.Root.Readonly = false
-	})
-
-	if err != nil {
-		return err
+	spec := j.configSpec
+	if spec.Process.User.UID != 0 ||
+		spec.Process.User.GID != 0 {
+		return fmt.Errorf(
+			"using UID %d and GID %d, these values must not be set",
+			spec.Process.User.UID,
+			spec.Process.User.GID,
+		)
 	}
 
-	spec := *configSpec
+	spec = j.setDefaultConfigValues(cfg, socketPath, spec)
+	spec.Root.Path = rootfsFolder
+	spec.Root.Readonly = false
 	spec.Process.User.UID = j.uid
 	spec.Process.User.GID = j.gid
 
@@ -491,11 +473,7 @@ func mkdirAllWithPermissions(path string, mode os.FileMode, uid, gid uint32) err
 	return nil
 }
 
-func getNetNS(spec *specs.Spec) string {
-	if spec == nil {
-		return ""
-	}
-
+func getNetNS(spec specs.Spec) string {
 	for _, ns := range spec.Linux.Namespaces {
 		if ns.Type == networkNamespaceRuncName {
 			return ns.Path