14
"github.com/containers/buildah/pkg/jail"
15
"github.com/containers/common/libnetwork/types"
16
"github.com/containers/podman/v5/libpod/define"
17
"github.com/containers/storage/pkg/lockfile"
18
"github.com/sirupsen/logrus"
22
Statistics NetstatInterface `json:"statistics"`
25
type NetstatInterface struct {26
Interface []NetstatAddress `json:"interface"`
29
type NetstatAddress struct {30
Name string `json:"name"`
31
Flags string `json:"flags"`
33
Network string `json:"network"`
34
Address string `json:"address"`
36
ReceivedPackets uint64 `json:"received-packets"`
37
ReceivedBytes uint64 `json:"received-bytes"`
38
ReceivedErrors uint64 `json:"received-errors"`
40
SentPackets uint64 `json:"sent-packets"`
41
SentBytes uint64 `json:"sent-bytes"`
42
SentErrors uint64 `json:"send-errors"`
44
DroppedPackets uint64 `json:"dropped-packets"`
46
Collisions uint64 `json:"collisions"`
49
type RootlessNetNS struct {51
Lock *lockfile.LockFile
54
// getPath will join the given path to the rootless netns dir
55
func (r *RootlessNetNS) getPath(path string) string {56
return filepath.Join(r.dir, path)
59
// Do - run the given function in the rootless netns.
60
// It does not lock the rootlessCNI lock, the caller
61
// should only lock when needed, e.g. for network operations.
62
func (r *RootlessNetNS) Do(toRun func() error) error {63
return errors.New("not supported on freebsd")66
// Cleanup the rootless network namespace if needed.
67
// It checks if we have running containers with the bridge network mode.
68
// Cleanup() expects that r.Lock is locked
69
func (r *RootlessNetNS) Cleanup(runtime *Runtime) error {70
return errors.New("not supported on freebsd")73
// GetRootlessNetNs returns the rootless netns object. If create is set to true
74
// the rootless network namespace will be created if it does not already exist.
75
// If called as root it returns always nil.
76
// On success the returned RootlessCNI lock is locked and must be unlocked by the caller.
77
func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {81
func getSlirp4netnsIP(subnet *net.IPNet) (*net.IP, error) {82
return nil, errors.New("not implemented GetSlirp4netnsIP")85
// This is called after the container's jail is created but before its
86
// started. We can use this to initialise the container's vnet when we don't
87
// have a separate vnet jail (which is the case in FreeBSD 13.3 and later).
88
func (r *Runtime) setupNetNS(ctr *Container) error {89
networkStatus, err := r.configureNetNS(ctr, ctr.ID())
90
ctr.state.NetNS = ctr.ID()
91
ctr.state.NetworkStatus = networkStatus
95
// Create and configure a new network namespace for a container
96
func (r *Runtime) configureNetNS(ctr *Container, ctrNS string) (status map[string]types.StatusBlock, rerr error) {97
if err := r.exposeMachinePorts(ctr.config.PortMappings); err != nil {101
// make sure to unexpose the gvproxy ports when an error happens
103
if err := r.unexposeMachinePorts(ctr.config.PortMappings); err != nil {104
logrus.Errorf("failed to free gvproxy machine ports: %v", err)108
networks, err := ctr.networks()
112
// All networks have been removed from the container.
113
// This is effectively forcing net=none.
114
if len(networks) == 0 {118
netOpts := ctr.getNetworkOptions(networks)
119
netStatus, err := r.setUpNetwork(ctrNS, netOpts)
124
return netStatus, err
127
// Create and configure a new network namespace for a container
128
func (r *Runtime) createNetNS(ctr *Container) (n string, q map[string]types.StatusBlock, retErr error) {129
b := make([]byte, 16)
130
_, err := rand.Reader.Read(b)
132
return "", nil, fmt.Errorf("failed to generate random vnet name: %v", err)134
netns := fmt.Sprintf("vnet-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])136
jconf := jail.NewConfig()
137
jconf.Set("name", netns)138
jconf.Set("vnet", jail.NEW)139
jconf.Set("children.max", 1)140
jconf.Set("persist", true)141
jconf.Set("enforce_statfs", 0)142
jconf.Set("devfs_ruleset", 4)143
jconf.Set("allow.raw_sockets", true)144
jconf.Set("allow.chflags", true)145
jconf.Set("securelevel", -1)146
j, err := jail.Create(jconf)
148
return "", nil, fmt.Errorf("Failed to create vnet jail %s for container %s: %w", netns, ctr.ID(), err)151
logrus.Debugf("Created vnet jail %s for container %s", netns, ctr.ID())153
var networkStatus map[string]types.StatusBlock
154
networkStatus, err = r.configureNetNS(ctr, netns)
156
jconf := jail.NewConfig()
157
jconf.Set("persist", false)158
if err := j.Set(jconf); err != nil {159
// Log this error and return the error from configureNetNS
160
logrus.Errorf("failed to destroy vnet jail %s: %w", netns, err)163
return netns, networkStatus, err
166
// Tear down a network namespace, undoing all state associated with it.
167
func (r *Runtime) teardownNetNS(ctr *Container) error {168
if err := r.unexposeMachinePorts(ctr.config.PortMappings); err != nil {169
// do not return an error otherwise we would prevent network cleanup
170
logrus.Errorf("failed to free gvproxy machine ports: %v", err)172
if err := r.teardownNetwork(ctr); err != nil {176
if ctr.state.NetNS != "" {177
// If PostConfigureNetNS is false, then we are running with a
178
// separate vnet jail so we need to clean that up now.
179
if !ctr.config.PostConfigureNetNS {180
// Rather than destroying the jail immediately, reset the
181
// persist flag so that it will live until the container is
183
netjail, err := jail.FindByName(ctr.state.NetNS)
185
return fmt.Errorf("finding network jail %s: %w", ctr.state.NetNS, err)187
jconf := jail.NewConfig()
188
jconf.Set("persist", false)189
if err := netjail.Set(jconf); err != nil {190
return fmt.Errorf("releasing network jail %s: %w", ctr.state.NetNS, err)198
// TODO (5.0): return the statistics per network interface
199
// This would allow better compat with docker.
200
func getContainerNetIO(ctr *Container) (map[string]define.ContainerNetworkStats, error) {201
if ctr.state.NetNS == "" {202
// If NetNS is nil, it was set as none, and no netNS
203
// was set up this is a valid state and thus return no
204
// error, nor any statistics
208
// First try running 'netstat -j' - this lets us retrieve stats from
209
// containers which don't have a separate vnet jail.
210
cmd := exec.Command("netstat", "-j", ctr.state.NetNS, "-bi", "--libxo", "json")211
out, err := cmd.Output()
213
// Fall back to using jexec so that this still works on 13.2
214
// which does not have the -j flag.
215
cmd := exec.Command("jexec", ctr.state.NetNS, "netstat", "-bi", "--libxo", "json")216
out, err = cmd.Output()
219
return nil, fmt.Errorf("failed to read network stats: %v", err)222
if err := jdec.Unmarshal(out, &stats); err != nil {226
res := make(map[string]define.ContainerNetworkStats)
228
// Sum all the interface stats - in practice only Tx/TxBytes are needed
229
for _, ifaddr := range stats.Statistics.Interface {230
// Each interface has two records, one for link-layer which has
231
// an MTU field and one for IP which doesn't. We only want the
234
// It's not clear if we should include loopback stats here but
235
// if we move to per-interface stats in future, this can be
236
// reported separately.
238
linkStats := define.ContainerNetworkStats{239
RxPackets: ifaddr.ReceivedPackets,
240
TxPackets: ifaddr.SentPackets,
241
RxBytes: ifaddr.ReceivedBytes,
242
TxBytes: ifaddr.SentBytes,
243
RxErrors: ifaddr.ReceivedErrors,
244
TxErrors: ifaddr.SentErrors,
245
RxDropped: ifaddr.DroppedPackets,
247
res[ifaddr.Name] = linkStats
254
func (c *Container) joinedNetworkNSPath() (string, bool) {255
return c.state.NetNS, false
258
func (c *Container) inspectJoinedNetworkNS(networkns string) (q types.StatusBlock, retErr error) {259
// TODO: extract interface information from the vnet jail
260
return types.StatusBlock{}, nil264
func (c *Container) reloadRootlessRLKPortMapping() error {265
return errors.New("unsupported (*Container).reloadRootlessRLKPortMapping")268
func (c *Container) setupRootlessNetwork() error {