libnetwork: create pick subnets from subnet pool

When we create a bridge network and no subnet is given we will a free
one automatically. The current logic just took the first free /24
network after 10.89.0.0. Now we will instead use the default subnet pool
from containers.conf. The default value is still the same but users can
change it if they want. This also fixes a problem where podman network
create could pick a public ipv4 network when all 10.0.0.0/8 networks
were already used. Now it will error if no free subnet is found in the
subnet pools.

Fixes #930

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

common/libnetwork/cni/config.go

@@ -69,7 +69,7 @@ func (n *cniNetwork) networkCreate(newNetwork *types.Network, defaultNet bool) (
 
 	switch newNetwork.Driver {
 	case types.BridgeNetworkDriver:
-		err = internalutil.CreateBridge(n, newNetwork, usedNetworks)
+		err = internalutil.CreateBridge(n, newNetwork, usedNetworks, n.defaultsubnetPools)
 		if err != nil {
 			return nil, err
 		}

common/libnetwork/cni/network.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/containernetworking/cni/libcni"
 	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/pkg/config"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -31,6 +32,9 @@ type cniNetwork struct {
 	// defaultSubnet is the default subnet for the default network.
 	defaultSubnet types.IPNet
 
+	// defaultsubnetPools contains the subnets which must be used to allocate a free subnet by network create
+	defaultsubnetPools []config.SubnetPool
+
 	// isMachine describes whenever podman runs in a podman machine environment.
 	isMachine bool
 
@@ -62,6 +66,9 @@ type InitConfig struct {
 	// DefaultSubnet is the default subnet for the default network.
 	DefaultSubnet string
 
+	// DefaultsubnetPools contains the subnets which must be used to allocate a free subnet by network create
+	DefaultsubnetPools []config.SubnetPool
+
 	// IsMachine describes whenever podman runs in a podman machine environment.
 	IsMachine bool
 }
@@ -89,6 +96,11 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		return nil, errors.Wrap(err, "failed to parse default subnet")
 	}
 
+	defaultSubnetPools := conf.DefaultsubnetPools
+	if defaultSubnetPools == nil {
+		defaultSubnetPools = config.DefaultSubnetPools
+	}
+
 	cni := libcni.NewCNIConfig(conf.CNIPluginDirs, &cniExec{})
 	n := &cniNetwork{
 		cniConfigDir:       conf.CNIConfigDir,
@@ -96,6 +108,7 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		cniConf:            cni,
 		defaultNetwork:     defaultNetworkName,
 		defaultSubnet:      defaultNet,
+		defaultsubnetPools: defaultSubnetPools,
 		isMachine:          conf.IsMachine,
 		lock:               lock,
 	}

common/libnetwork/internal/util/bridge.go

@@ -5,11 +5,12 @@ import (
 
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/libnetwork/util"
+	"github.com/containers/common/pkg/config"
 	pkgutil "github.com/containers/common/pkg/util"
 	"github.com/pkg/errors"
 )
 
-func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet) error {
+func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet, subnetPools []config.SubnetPool) error {
 	if network.NetworkInterface != "" {
 		bridges := GetBridgeInterfaceNames(n)
 		if pkgutil.StringInSlice(network.NetworkInterface, bridges) {
@@ -28,7 +29,7 @@ func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet)
 
 	if network.IPAMOptions["driver"] != types.DHCPIPAMDriver {
 		if len(network.Subnets) == 0 {
-			freeSubnet, err := GetFreeIPv4NetworkSubnet(usedNetworks)
+			freeSubnet, err := GetFreeIPv4NetworkSubnet(usedNetworks, subnetPools)
 			if err != nil {
 				return err
 			}
@@ -48,7 +49,7 @@ func CreateBridge(n NetUtil, network *types.Network, usedNetworks []*net.IPNet)
 				}
 			}
 			if !ipv4 {
-				freeSubnet, err := GetFreeIPv4NetworkSubnet(usedNetworks)
+				freeSubnet, err := GetFreeIPv4NetworkSubnet(usedNetworks, subnetPools)
 				if err != nil {
 					return err
 				}

common/libnetwork/internal/util/util.go

@@ -6,6 +6,7 @@ import (
 	"net"
 
 	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/pkg/config"
 	"github.com/containers/common/pkg/util"
 	"github.com/sirupsen/logrus"
 )
@@ -79,28 +80,36 @@ func GetUsedSubnets(n NetUtil) ([]*net.IPNet, error) {
 }
 
 // GetFreeIPv4NetworkSubnet returns a unused ipv4 subnet
-func GetFreeIPv4NetworkSubnet(usedNetworks []*net.IPNet) (*types.Subnet, error) {
+func GetFreeIPv4NetworkSubnet(usedNetworks []*net.IPNet, subnetPools []config.SubnetPool) (*types.Subnet, error) {
-	// the default podman network is 10.88.0.0/16
+	var err error
-	// start locking for free /24 networks
+	for _, pool := range subnetPools {
+		// make sure to copy the netip to prevent overwriting the subnet pool
+		netIP := make(net.IP, net.IPv4len)
+		copy(netIP, pool.Base.IP)
 		network := &net.IPNet{
-		IP:   net.IP{10, 89, 0, 0},
+			IP:   netIP,
-		Mask: net.IPMask{255, 255, 255, 0},
+			Mask: net.CIDRMask(pool.Size, 32),
 		}
-
+		for pool.Base.Contains(network.IP) {
-	// TODO: make sure to not use public subnets
+			if !NetworkIntersectsWithNetworks(network, usedNetworks) {
-	for {
-		if intersectsConfig := NetworkIntersectsWithNetworks(network, usedNetworks); !intersectsConfig {
 				logrus.Debugf("found free ipv4 network subnet %s", network.String())
 				return &types.Subnet{
 					Subnet: types.IPNet{IPNet: *network},
 				}, nil
 			}
-		var err error
 			network, err = NextSubnet(network)
+			if err != nil {
+				// when error go to next pool, we return the error only when all pools are done
+				break
+			}
+		}
+	}
+
 	if err != nil {
 		return nil, err
 	}
-	}
+	return nil, errors.New("could not find free subnet from subnet pools")
+
 }
 
 // GetFreeIPv6NetworkSubnet returns a unused ipv6 subnet

common/libnetwork/internal/util/util_test.go

@@ -0,0 +1,116 @@
+package util
+
+import (
+	"net"
+	"reflect"
+	"testing"
+
+	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/pkg/config"
+)
+
+func parseIPNet(subnet string) *types.IPNet {
+	n, _ := types.ParseCIDR(subnet)
+	return &n
+}
+
+func parseSubnet(subnet string) *types.Subnet {
+	n := parseIPNet(subnet)
+	return &types.Subnet{Subnet: *n}
+}
+
+func TestGetFreeIPv4NetworkSubnet(t *testing.T) {
+	type args struct {
+		usedNetworks []*net.IPNet
+		subnetPools  []config.SubnetPool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *types.Subnet
+		wantErr bool
+	}{
+		{
+			name: "single subnet pool",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+				},
+			},
+			want: parseSubnet("10.89.0.0/24"),
+		},
+		{
+			name: "single subnet pool with used nets",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+				},
+				usedNetworks: []*net.IPNet{
+					parseCIDR("10.89.0.0/25"),
+				},
+			},
+			want: parseSubnet("10.89.1.0/24"),
+		},
+		{
+			name: "single subnet pool with no free nets",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+				},
+				usedNetworks: []*net.IPNet{
+					parseCIDR("10.89.0.0/16"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "two subnet pools",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+					{Base: parseIPNet("10.90.0.0/16"), Size: 25},
+				},
+			},
+			want: parseSubnet("10.89.0.0/24"),
+		},
+		{
+			name: "two subnet pools with no free subnet in first pool",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+					{Base: parseIPNet("10.90.0.0/16"), Size: 25},
+				},
+				usedNetworks: []*net.IPNet{
+					parseCIDR("10.89.0.0/16"),
+				},
+			},
+			want: parseSubnet("10.90.0.0/25"),
+		},
+		{
+			name: "two subnet pools with no free subnet",
+			args: args{
+				subnetPools: []config.SubnetPool{
+					{Base: parseIPNet("10.89.0.0/16"), Size: 24},
+					{Base: parseIPNet("10.90.0.0/16"), Size: 25},
+				},
+				usedNetworks: []*net.IPNet{
+					parseCIDR("10.89.0.0/8"),
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := GetFreeIPv4NetworkSubnet(tt.args.usedNetworks, tt.args.subnetPools)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("GetFreeIPv4NetworkSubnet() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("GetFreeIPv4NetworkSubnet() = %v, want %v", got.Subnet.String(), tt.want.Subnet.String())
+			}
+		})
+	}
+}

common/libnetwork/netavark/config.go

@@ -83,7 +83,7 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo
 
 	switch newNetwork.Driver {
 	case types.BridgeNetworkDriver:
-		err = internalutil.CreateBridge(n, newNetwork, usedNetworks)
+		err = internalutil.CreateBridge(n, newNetwork, usedNetworks, n.defaultsubnetPools)
 		if err != nil {
 			return nil, err
 		}

common/libnetwork/netavark/network.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/pkg/config"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
@@ -38,6 +39,9 @@ type netavarkNetwork struct {
 	// defaultSubnet is the default subnet for the default network.
 	defaultSubnet types.IPNet
 
+	// defaultsubnetPools contains the subnets which must be used to allocate a free subnet by network create
+	defaultsubnetPools []config.SubnetPool
+
 	// ipamDBPath is the path to the ip allocation bolt db
 	ipamDBPath string
 
@@ -72,6 +76,9 @@ type InitConfig struct {
 	// DefaultSubnet is the default subnet for the default network.
 	DefaultSubnet string
 
+	// DefaultsubnetPools contains the subnets which must be used to allocate a free subnet by network create
+	DefaultsubnetPools []config.SubnetPool
+
 	// Syslog describes whenever the netavark debbug output should be log to the syslog as well.
 	// This will use logrus to do so, make sure logrus is set up to log to the syslog.
 	Syslog bool
@@ -108,6 +115,11 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		return nil, err
 	}
 
+	defaultSubnetPools := conf.DefaultsubnetPools
+	if defaultSubnetPools == nil {
+		defaultSubnetPools = config.DefaultSubnetPools
+	}
+
 	n := &netavarkNetwork{
 		networkConfigDir:   conf.NetworkConfigDir,
 		networkRunDir:      conf.NetworkRunDir,
@@ -117,6 +129,7 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		ipamDBPath:         filepath.Join(conf.NetworkRunDir, "ipam.db"),
 		defaultNetwork:     defaultNetworkName,
 		defaultSubnet:      defaultNet,
+		defaultsubnetPools: defaultSubnetPools,
 		lock:               lock,
 		syslog:             conf.Syslog,
 	}