libcontainer/network_linux.go - external/github.com/opencontainers/runc - Git at Google

 package libcontainer

 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"

 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/types"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
 	"github.com/vishvananda/netlink/nl"
 	"github.com/vishvananda/netns"

 	"golang.org/x/sys/unix"
 )

 var strategies = map[string]networkStrategy{
 	"loopback": &loopback{},
 }

 // networkStrategy represents a specific network configuration for
 // a container's networking stack
 type networkStrategy interface {
 	create(*network, int) error
 	initialize(*network) error
 	detach(*configs.Network) error
 	attach(*configs.Network) error
 }

 // getStrategy returns the specific network strategy for the
 // provided type.
 func getStrategy(tpe string) (networkStrategy, error) {
 	s, exists := strategies[tpe]
 	if !exists {
 		return nil, fmt.Errorf("unknown strategy type %q", tpe)
 	}
 	return s, nil
 }

 // Returns the network statistics for the network interfaces represented by the NetworkRuntimeInfo.
 func getNetworkInterfaceStats(interfaceName string) (*types.NetworkInterface, error) {
 	out := &types.NetworkInterface{Name: interfaceName}
 	// This can happen if the network runtime information is missing - possible if the
 	// container was created by an old version of libcontainer.
 	if interfaceName == "" {
 		return out, nil
 	}
 	type netStatsPair struct {
 		// Where to write the output.
 		Out *uint64
 		// The network stats file to read.
 		File string
 	}
 	// Ingress for host veth is from the container. Hence tx_bytes stat on the host veth is actually number of bytes received by the container.
 	netStats := []netStatsPair{
 		{Out: &out.RxBytes, File: "tx_bytes"},
 		{Out: &out.RxPackets, File: "tx_packets"},
 		{Out: &out.RxErrors, File: "tx_errors"},
 		{Out: &out.RxDropped, File: "tx_dropped"},

 		{Out: &out.TxBytes, File: "rx_bytes"},
 		{Out: &out.TxPackets, File: "rx_packets"},
 		{Out: &out.TxErrors, File: "rx_errors"},
 		{Out: &out.TxDropped, File: "rx_dropped"},
 	}
 	for _, netStat := range netStats {
 		data, err := readSysfsNetworkStats(interfaceName, netStat.File)
 		if err != nil {
 			return nil, err
 		}
 		*(netStat.Out) = data
 	}
 	return out, nil
 }

 // Reads the specified statistics available under /sys/class/net/<EthInterface>/statistics
 func readSysfsNetworkStats(ethInterface, statsFile string) (uint64, error) {
 	data, err := os.ReadFile(filepath.Join("/sys/class/net", ethInterface, "statistics", statsFile))
 	if err != nil {
 		return 0, err
 	}
 	return strconv.ParseUint(string(bytes.TrimSpace(data)), 10, 64)
 }

 // loopback is a network strategy that provides a basic loopback device
 type loopback struct{}

 func (l *loopback) create(n *network, nspid int) error {
 	return nil
 }

 func (l *loopback) initialize(config *network) error {
 	return netlink.LinkSetUp(&netlink.Device{LinkAttrs: netlink.LinkAttrs{Name: "lo"}})
 }

 func (l *loopback) attach(n *configs.Network) (err error) {
 	return nil
 }

 func (l *loopback) detach(n *configs.Network) (err error) {
 	return nil
 }

 // devChangeNetNamespace allows to move a device given by name to a network namespace given by nsPath
 // and optionally change the device name.
 // The device name will be kept the same if device.Name is the zero value.
 // This function ensures that the move and rename operations occur atomically.
 // It preserves existing interface attributes, including global IP addresses.
 func devChangeNetNamespace(name, nsPath string, device configs.LinuxNetDevice) error {
 	logrus.Debugf("attaching network device %s with attrs %+v to network namespace %s", name, device, nsPath)
 	link, err := netlink.LinkByName(name)
 	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
 	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
 		return fmt.Errorf("link not found for interface %s on runtime namespace: %w", name, err)
 	}

 	// Set the interface link state to DOWN before modifying attributes like namespace or name.
 	// This prevents potential conflicts or disruptions on the host network during the transition,
 	// particularly if other host components depend on this specific interface or its properties.
 	err = netlink.LinkSetDown(link)
 	if err != nil {
 		return fmt.Errorf("fail to set link down: %w", err)
 	}

 	// Get the existing IP addresses on the interface.
 	addresses, err := netlink.AddrList(link, netlink.FAMILY_ALL)
 	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
 	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
 		return fmt.Errorf("fail to get ip addresses: %w", err)
 	}

 	// Do interface rename and namespace change in the same operation to avoid
 	// possible conflicts with the interface name.
 	// NLM_F_REQUEST: "It must be set on all request messages."
 	// NLM_F_ACK: "Request for an acknowledgment on success."
 	// netlink(7) man page: https://man7.org/linux/man-pages/man7/netlink.7.html
 	flags := unix.NLM_F_REQUEST | unix.NLM_F_ACK
 	req := nl.NewNetlinkRequest(unix.RTM_NEWLINK, flags)

 	// Get a netlink socket in current namespace
 	nlSock, err := nl.GetNetlinkSocketAt(netns.None(), netns.None(), unix.NETLINK_ROUTE)
 	if err != nil {
 		return fmt.Errorf("could not get network namespace handle: %w", err)
 	}
 	defer nlSock.Close()

 	req.Sockets = map[int]*nl.SocketHandle{
 		unix.NETLINK_ROUTE: {Socket: nlSock},
 	}

 	// Set the interface index.
 	msg := nl.NewIfInfomsg(unix.AF_UNSPEC)
 	msg.Index = int32(link.Attrs().Index)
 	req.AddData(msg)

 	// Set the interface name, also rename if requested.
 	newName := name
 	if device.Name != "" {
 		newName = device.Name
 	}
 	nameData := nl.NewRtAttr(unix.IFLA_IFNAME, nl.ZeroTerminated(newName))
 	req.AddData(nameData)

 	// Get the new network namespace.
 	ns, err := netns.GetFromPath(nsPath)
 	if err != nil {
 		return fmt.Errorf("could not get network namespace from path %s for network device %s : %w", nsPath, name, err)
 	}
 	defer ns.Close()

 	val := nl.Uint32Attr(uint32(ns))
 	attr := nl.NewRtAttr(unix.IFLA_NET_NS_FD, val)
 	req.AddData(attr)

 	_, err = req.Execute(unix.NETLINK_ROUTE, 0)
 	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
 	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
 		return fmt.Errorf("fail to move network device %s to network namespace %s: %w", name, nsPath, err)
 	}

 	// To avoid us the husle with goroutines when joining a netns,
 	// we let the library create the socket in the namespace for us.
 	nhNs, err := netlink.NewHandleAt(ns)
 	if err != nil {
 		return err
 	}
 	defer nhNs.Close()

 	nsLink, err := nhNs.LinkByName(newName)
 	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
 	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
 		return fmt.Errorf("link not found for interface %s on namespace %s : %w", newName, nsPath, err)
 	}

 	// Re-add the original IP addresses to the interface in the new namespace.
 	// The kernel removes IP addresses when an interface is moved between network namespaces.
 	for _, address := range addresses {
 		logrus.Debugf("processing address %s from network device %s", address.String(), name)
 		// Only move permanent IP addresses configured by the user, dynamic addresses are excluded because
 		// their validity may rely on the original network namespace's context and they may have limited
 		// lifetimes and are not guaranteed to be available in a new namespace.
 		// Ref: https://www.ietf.org/rfc/rfc3549.txt
 		if address.Flags&unix.IFA_F_PERMANENT == 0 {
 			logrus.Debugf("skipping address %s from network device %s: not a permanent address", address.String(), name)
 			continue
 		}
 		// Only move IP addresses with global scope because those are not host-specific, auto-configured,
 		// or have limited network scope, making them unsuitable inside the container namespace.
 		// Ref: https://www.ietf.org/rfc/rfc3549.txt
 		if address.Scope != unix.RT_SCOPE_UNIVERSE {
 			logrus.Debugf("skipping address %s from network device %s: not an address with global scope", address.String(), name)
 			continue
 		}
 		// Remove the interface attribute of the original address
 		// to avoid issues when the interface is renamed.
 		err = nhNs.AddrAdd(nsLink, &netlink.Addr{IPNet: address.IPNet})
 		if err != nil {
 			return fmt.Errorf("fail to set up address %s on namespace %s: %w", address.String(), nsPath, err)
 		}
 	}

 	err = nhNs.LinkSetUp(nsLink)
 	if err != nil {
 		return fmt.Errorf("fail to set up interface %s on namespace %s: %w", nsLink.Attrs().Name, nsPath, err)
 	}

 	return nil
 }
	package libcontainer

	import (
	"bytes"
	"errors"
	"fmt"
	"os"
	"path/filepath"
	"strconv"

	"github.com/opencontainers/runc/libcontainer/configs"
	"github.com/opencontainers/runc/types"
	"github.com/sirupsen/logrus"
	"github.com/vishvananda/netlink"
	"github.com/vishvananda/netlink/nl"
	"github.com/vishvananda/netns"

	"golang.org/x/sys/unix"
	)

	var strategies = map[string]networkStrategy{
	"loopback": &loopback{},
	}

	// networkStrategy represents a specific network configuration for
	// a container's networking stack
	type networkStrategy interface {
	create(*network, int) error
	initialize(*network) error
	detach(*configs.Network) error
	attach(*configs.Network) error
	}

	// getStrategy returns the specific network strategy for the
	// provided type.
	func getStrategy(tpe string) (networkStrategy, error) {
	s, exists := strategies[tpe]
	if !exists {
	return nil, fmt.Errorf("unknown strategy type %q", tpe)
	}
	return s, nil
	}

	// Returns the network statistics for the network interfaces represented by the NetworkRuntimeInfo.
	func getNetworkInterfaceStats(interfaceName string) (*types.NetworkInterface, error) {
	out := &types.NetworkInterface{Name: interfaceName}
	// This can happen if the network runtime information is missing - possible if the
	// container was created by an old version of libcontainer.
	if interfaceName == "" {
	return out, nil
	}
	type netStatsPair struct {
	// Where to write the output.
	Out *uint64
	// The network stats file to read.
	File string
	}
	// Ingress for host veth is from the container. Hence tx_bytes stat on the host veth is actually number of bytes received by the container.
	netStats := []netStatsPair{
	{Out: &out.RxBytes, File: "tx_bytes"},
	{Out: &out.RxPackets, File: "tx_packets"},
	{Out: &out.RxErrors, File: "tx_errors"},
	{Out: &out.RxDropped, File: "tx_dropped"},

	{Out: &out.TxBytes, File: "rx_bytes"},
	{Out: &out.TxPackets, File: "rx_packets"},
	{Out: &out.TxErrors, File: "rx_errors"},
	{Out: &out.TxDropped, File: "rx_dropped"},
	}
	for _, netStat := range netStats {
	data, err := readSysfsNetworkStats(interfaceName, netStat.File)
	if err != nil {
	return nil, err
	}
	*(netStat.Out) = data
	}
	return out, nil
	}

	// Reads the specified statistics available under /sys/class/net/<EthInterface>/statistics
	func readSysfsNetworkStats(ethInterface, statsFile string) (uint64, error) {
	data, err := os.ReadFile(filepath.Join("/sys/class/net", ethInterface, "statistics", statsFile))
	if err != nil {
	return 0, err
	}
	return strconv.ParseUint(string(bytes.TrimSpace(data)), 10, 64)
	}

	// loopback is a network strategy that provides a basic loopback device
	type loopback struct{}

	func (l loopback) create(n network, nspid int) error {
	return nil
	}

	func (l loopback) initialize(config network) error {
	return netlink.LinkSetUp(&netlink.Device{LinkAttrs: netlink.LinkAttrs{Name: "lo"}})
	}

	func (l loopback) attach(n configs.Network) (err error) {
	return nil
	}

	func (l loopback) detach(n configs.Network) (err error) {
	return nil
	}

	// devChangeNetNamespace allows to move a device given by name to a network namespace given by nsPath
	// and optionally change the device name.
	// The device name will be kept the same if device.Name is the zero value.
	// This function ensures that the move and rename operations occur atomically.
	// It preserves existing interface attributes, including global IP addresses.
	func devChangeNetNamespace(name, nsPath string, device configs.LinuxNetDevice) error {
	logrus.Debugf("attaching network device %s with attrs %+v to network namespace %s", name, device, nsPath)
	link, err := netlink.LinkByName(name)
	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
	return fmt.Errorf("link not found for interface %s on runtime namespace: %w", name, err)
	}

	// Set the interface link state to DOWN before modifying attributes like namespace or name.
	// This prevents potential conflicts or disruptions on the host network during the transition,
	// particularly if other host components depend on this specific interface or its properties.
	err = netlink.LinkSetDown(link)
	if err != nil {
	return fmt.Errorf("fail to set link down: %w", err)
	}

	// Get the existing IP addresses on the interface.
	addresses, err := netlink.AddrList(link, netlink.FAMILY_ALL)
	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
	return fmt.Errorf("fail to get ip addresses: %w", err)
	}

	// Do interface rename and namespace change in the same operation to avoid
	// possible conflicts with the interface name.
	// NLM_F_REQUEST: "It must be set on all request messages."
	// NLM_F_ACK: "Request for an acknowledgment on success."
	// netlink(7) man page: https://man7.org/linux/man-pages/man7/netlink.7.html
	flags := unix.NLM_F_REQUEST \| unix.NLM_F_ACK
	req := nl.NewNetlinkRequest(unix.RTM_NEWLINK, flags)

	// Get a netlink socket in current namespace
	nlSock, err := nl.GetNetlinkSocketAt(netns.None(), netns.None(), unix.NETLINK_ROUTE)
	if err != nil {
	return fmt.Errorf("could not get network namespace handle: %w", err)
	}
	defer nlSock.Close()

	req.Sockets = map[int]*nl.SocketHandle{
	unix.NETLINK_ROUTE: {Socket: nlSock},
	}

	// Set the interface index.
	msg := nl.NewIfInfomsg(unix.AF_UNSPEC)
	msg.Index = int32(link.Attrs().Index)
	req.AddData(msg)

	// Set the interface name, also rename if requested.
	newName := name
	if device.Name != "" {
	newName = device.Name
	}
	nameData := nl.NewRtAttr(unix.IFLA_IFNAME, nl.ZeroTerminated(newName))
	req.AddData(nameData)

	// Get the new network namespace.
	ns, err := netns.GetFromPath(nsPath)
	if err != nil {
	return fmt.Errorf("could not get network namespace from path %s for network device %s : %w", nsPath, name, err)
	}
	defer ns.Close()

	val := nl.Uint32Attr(uint32(ns))
	attr := nl.NewRtAttr(unix.IFLA_NET_NS_FD, val)
	req.AddData(attr)

	_, err = req.Execute(unix.NETLINK_ROUTE, 0)
	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
	return fmt.Errorf("fail to move network device %s to network namespace %s: %w", name, nsPath, err)
	}

	// To avoid us the husle with goroutines when joining a netns,
	// we let the library create the socket in the namespace for us.
	nhNs, err := netlink.NewHandleAt(ns)
	if err != nil {
	return err
	}
	defer nhNs.Close()

	nsLink, err := nhNs.LinkByName(newName)
	// recover same behavior on vishvananda/netlink@1.2.1 and do not fail when the kernel returns NLM_F_DUMP_INTR.
	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
	return fmt.Errorf("link not found for interface %s on namespace %s : %w", newName, nsPath, err)
	}

	// Re-add the original IP addresses to the interface in the new namespace.
	// The kernel removes IP addresses when an interface is moved between network namespaces.
	for _, address := range addresses {
	logrus.Debugf("processing address %s from network device %s", address.String(), name)
	// Only move permanent IP addresses configured by the user, dynamic addresses are excluded because
	// their validity may rely on the original network namespace's context and they may have limited
	// lifetimes and are not guaranteed to be available in a new namespace.
	// Ref: https://www.ietf.org/rfc/rfc3549.txt
	if address.Flags&unix.IFA_F_PERMANENT == 0 {
	logrus.Debugf("skipping address %s from network device %s: not a permanent address", address.String(), name)
	continue
	}
	// Only move IP addresses with global scope because those are not host-specific, auto-configured,
	// or have limited network scope, making them unsuitable inside the container namespace.
	// Ref: https://www.ietf.org/rfc/rfc3549.txt
	if address.Scope != unix.RT_SCOPE_UNIVERSE {
	logrus.Debugf("skipping address %s from network device %s: not an address with global scope", address.String(), name)
	continue
	}
	// Remove the interface attribute of the original address
	// to avoid issues when the interface is renamed.
	err = nhNs.AddrAdd(nsLink, &netlink.Addr{IPNet: address.IPNet})
	if err != nil {
	return fmt.Errorf("fail to set up address %s on namespace %s: %w", address.String(), nsPath, err)
	}
	}

	err = nhNs.LinkSetUp(nsLink)
	if err != nil {
	return fmt.Errorf("fail to set up interface %s on namespace %s: %w", nsLink.Attrs().Name, nsPath, err)
	}

	return nil
	}