If no name is given we have to set a free one, however the logic was
broken since the beginning due some copy paste. This function as the
name suggests must return all network names so we know to not reuse an
existing one.
I just found this by accident no user ever reported this in almost two
years. This likely means no one uses the automatic names and everybody
set's their own name on the cli instead.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This change adds support for the special IP designator `host-gateway` to
the etchosts package.
The first part of fixing https://github.com/containers/podman/issues/14390
Signed-off-by: Gregor Eichelberger <gregor.eichelberger@tuwien.ac.at>
Buildah needs this option to ensure the child is killed when buildah is
killed.
Also remove the unused ContainerPID option which is not needed and
unused.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We need to know if ipv6 is enabled in order to create a proper
resolv.conf file. To not return to many arguments create a common struct
for them.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The cross tests needs at least one empty file in the package in order to
work and we need to linux build tag om slirp4netns as it depends on linux
only code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some callers cannot use the pipe convention, i.e. rootless netns code.
In this case we do not pass down the pipe and just keep track of the pid
and kill it when we are done.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Import code from podman/libpod/networking_slirp4netns.go.
This code should live here so we can share it with buildah later.
The code here was heaviliy modified in order to compile because we
cannot use the Container struct here. This should make the code better
separated from the libpod internals and allows it to be used by other
callers, i.e. buildah.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The strict isolate refuses to communicate with non-isolate and isolate.
Signed-off-by: Saigusa Yasushi <56156402+yassi-github@users.noreply.github.com>
Because we need to use the value of this variable in podman, exporting this variable means we don't have to hardcode this string in podman. This will make the code easier to maintain.
Signed-off-by: Black-Hole1 <bh@bugs.cc>
LeaseRange allows to set a custom start and end ip for our allocator.
However in this case the allocator ignored that fact the the first ip
(network ip) and the last ip (broadcast address only valid for ipv4)
cannot be used. These ips are special and should never be assigned.
Interestingly the kernel allows to assign the broadcast address to a
interface so it would appear to be working and no error was reported.
Only the attempts to make a connection failed.
Fixescontainers/podman#18906
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
pasta is a symlink to passt but we should really use pasta, just in case
that changes in the future.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Read pasta_options from containers.conf and set the arguments based on
that. The options that were set on the cli will appended after that so
it allows some form of overwrites.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
exec.Command().Output() can fail for several errors, i.e. maybe it was
not able to execute at all. We only get a error from type
`exec.ExitError` when the command exited > 0. For all other cases this
cast was unsafe and would cause a panic with a nil deref.
First check the error type correctly with errors.As() then return the
stderr and exit code. Otherwise just return the wrapped error as is.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Mostly copied from podman/libpod/networking_pasta_linux.go, this should
be moved to common so that we can use it in buildah as well.
I changed the function parameter to accept a single struct with all
options so that we can extend it when needed without breaking the API
The Container type is libpod/podman specific and not available here so
we only use the values we really need here.
Also I removed "pasta" from the function and constant name as this will
now be used as pasta.Setup() so it would be redundant.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I want to use this function in both podman and buildah, move it to the
util package as it is not specific to etchosts and export it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
By default we should do a standard prefix match.
See https://github.com/containers/podman/issues/18471 for context.
Also use the c/storage regex package to only compile the regex when
needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
NetworkInfo() return the network binary path, package version,
program version and DNS information.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Netavark needs to get the actual list of directories from podman because
users can set them in contianers.conf.
Note that this change requires a netavark with
https://github.com/containers/netavark/pull/509
To allow better backwards compat we only pass the new argument when we
need. Also added the missing ipvlan driver to the supported driver list.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a custom plugin that can be used in the netavark unit tests to check
if the integration works as expected.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users can now suplly custom network drivers which will execute the
netavark plugin to create the network. Netavark will execute the pluign
to setup/teardown the netns.
see https://github.com/containers/netavark/pull/509
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Remove the code duplication and share some code between the ipvlan and
macvlan config creation.
Also fixes a problem with the macvlan dhcp selection, we have to set the
driver to dhcp if it is unset and no subnets are given.
Ipvlan does not support DHCP because the interfaces share the same mac
address.
Added tests for both the mcvlan dhcp selection and the ipvlan creation.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We cannot compare network with Expect().To(Equal()), the internal
time.Time is not equal after parsing from file. There is some internal
field offset that can be different but the date is still the same. Other
tests have the same problem and to circumvent this we use EqualNetwork()
there. Do the same here.
Fixes#1335
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
With progress on netavark-dhcp-proxy, we can begin to macvlan with dhcp
back into the fold for netavark.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Commit 2fae6d9fd6 caused a regression, previously the lockfile
package create the config directory. Now this is no longer the case
so we have to create it explicitly.
Note that netavark already did this so no change is needed there.
This was reported by the RHEL QE team.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Should speed up app startup time a little since the compile
happens for all users of the library. Compile only on use.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default /etc/containers/networks location might not be writeable,
while this breaks podman network create it does not need to break all
podman commands since the lock is created on libpod initialization.
ref https://github.com/containers/common/pull/1270
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I want to switch podman over to only using strings for the netns path.
So we no longer pass this interface around. Buildah doesn't use this so
we only need to fix it in Podman. I have a WIP PR[1] for that.
[1] https://github.com/containers/podman/pull/16756
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
New features in netavark/aardvark allows users to update network dns
servers and all the containers attached to those networks uses updated
resolvers.
Following PR adds support in `libnetwork` to support
* Add support for higher level `NetworkUpdate` API
* Add support for `Update` exec call which can invoke netavark with a
new update option added here: https://github.com/containers/netavark/pull/503
Signed-off-by: Aditya R <arajan@redhat.com>
When creating macvlan or ipvlan network configs with the none ipam
driver we would always cause a segfault because of a nil pointer
dereference.
Add a test for both to prevent a regression.
Fixescontainers/podman#16620
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For now, only add IgnoreIfExists flag.
Having this flag is very useful when using scripts or systemd unit files
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
libnetwork must allow to pass network_dns_servers so aardvark and
netavark can consume it and enabled network scoped dns.
Feature implemented at netavark and aardvark end
* Netavark: https://github.com/containers/netavark/pull/497
Signed-off-by: Aditya R <arajan@redhat.com>
All the gruntwork is done by Netavark, so all that's needed it to
know the key exists and verify that it parses as a uint.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This is not supported in netavark so we should set to false by default
to make sure podman inspect will show the correct info.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Netavark now accets `dns_servers` for each container which allows
containers to use custom DNS servers as resolvers instead of falling
back to host's resolver.
Following field allows callers to libnetwork to pass newly added field
to `netavark` and `aarvark-dns`
Actual feature implemented
* https://github.com/containers/aardvark-dns/pull/240
* https://github.com/containers/netavark/pull/452
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
Both MAC and IP addresses are strings when serialized to JSON or
deserialized from JSON. By default swagger will show a byte array which
is wrong so we have to manually overwrite these fields.
Required for https://github.com/containers/podman/issues/13342
However we still have to update our swagger version to at least 0.30 in
podman to make it work.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We are using CNI for systems that have run podman system reset, if
storage is setup with additional stores. This change will ignore
additional store images and will use netarvark on clean systems.
[NO NEW TESTS NEEDED]
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2124887
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When the configuration directory is on a read-only filesystem,
there's no risk of concurrency issues as there's no possibility
of changing anything. As such, while it prevents the use of our
default lock location, it also removes any need for a lock at
all.
Making the lock entirely optional is a lot of code, so instead of
doing that let's just put it in our temporary files directory,
where it can't hurt anything.
Signed-off-by: Matthew Heon <mheon@redhat.com>
there was some eerily similar code in c/common and in podman for
creating filter functions for various types. Move some of it here
and add support for the label!= filter in libnetwork only. Libimage already supports it.
after this merges, will file a PR with the fix for containers within podman as well
see containers/podman#14182
Signed-off-by: Charlie Doern <cdoern@redhat.com>
`github.com/pkg/errors` is deprecated since quite some time so we now
use the native error wrapping for more idiomatic golang.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Even when a custom nameserver is set by the caller they may wish to
still keep the original nameserver too. This is needed by podman/buildah
when they only want to add the slirp4netns dns ip at the beginning for
example.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
both buildah and podman currently use a slightly different resolvconf lib,
to prevent duplication and having to fix bugs twice they should both use
this new package instead.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This only gets the libnetwork part to build - I have not tried to
get the rest of netavark to build on FreeBSD.
Signed-off-by: Doug Rabson <dfr@rabson.org>
unparam and exportloopref already work without changes.
For revive I had to silence many naming issues. I decided to silence them
instead of changing the name because I didn't want to break any code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
machine.IsPodmanMachine replaces MachineEnabled
machine.MachineHostType informs the type unknown, qemu, wsl, etc
machine.IsGvProxyBased used to make specific determinations re gvproxy
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Add helper function to convert the base_hosts_file config value to a
actual path. It is important to use securejoin to make sure that
containers cannot point to a file on the hosts via a symlink.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Also add a function to get the correct host.containers.internal ip. This
should be used by podman and buildah and then passed to the New()
function.
Ref https://github.com/containers/podman/issues/13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new libnetwork/etchosts package to manage reading/writing hosts files.
This package exports four functions New(), Add(), AddIfExists() and Remove().
See the godoc comments on the functions.
Both podman and buildah should use this functions to make sure files are
generated identical.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Those were added by commit 4fcb18dca, but are apparently no longer
needed.
Reported-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This one:
libnetwork/netavark/ipam_test.go:45:22: Error return value is not checked (errcheck)
networkInterface = libpodNet.(*netavarkNetwork)
^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This removes the questionable Sys().(*syscall.Stat_t) typecast.
OTOH we have to handle EINTR, so it's a tad more complicated than it
should be.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
gofumpt is a stricter version of gofmt, basically making the code more
readable, and fixing the gocritic's octalLiterar warnings like this one:
pkg/util/util_supported.go:26:17: octalLiteral: use new octal literal style, 0o722 (gocritic)
return (perm & 0722) == 0700
^
Generated by gofumpt -w .
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When we create a network with the ipam driver none we should disabled
dns automatically. Since we mange no ips we cannot provide name
resolution anyway.
This fixes a problem I spotted when adding test to the podman CI.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The gocyclo linter is complaining that the cyclomatic complexity is to
high for `(*cniNetwork).createCNIConfigListFromNetwork()`. Split out
option parsing to a new funtion should reduce the complexity.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Network create now uses the ipam driver. This allows the user to
configure the ipam driver manually instead of choosing a fixed default.
If the ipam driver is `none` no ips will be assigned to this container.
This means that only the interfaces are created.
This will require a patch in netavark since it rejects the config when
no static ips are provided.
Ref containers/podman#13521
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we read the cni result we should loop over the interfaces and then
the ips. If we only loop over ips we will miss interfaces that have no
ips assigned. We also only care about interfaces created in the netns.
This is required for ipam driver none case, see the test case.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Network create now uses the ipam driver. This allows the user to
configure the ipam driver manually instead of choosing a fixed default.
If the ipam driver is `none` no cni ipam plugin will be added to teh
config. This means that the interfaces are created but no extra ip
addresses are assigned.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Parse no ipam plugin and display it as ipam driver none.
Also set the ipam driver field for unsupported plugins.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we parse CNI config files to convert them into a native Network
struct we should not error unless there is something broken.
The goal is to allow all cni configs to still function but podman
inspect will not be able to show all informations such as subnets about
this network.
Because this is a valid use case we only log this at info level.
Fixescontainers/podman#12990Fixescontainers/podman#13124
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If we have to write a new configuration file, close the file handle when
we finish writing to it, instead of just letting it pass out of scope.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Move generic warning to netavark/run and warns user if one or more
network has `DNSEnabled` and `aardvark-dns` binary is not set
Signed-off-by: Aditya R <arajan@redhat.com>
Use appropriate variable when producing warning for missing
aardvark-dns. Current output variable will always be empty when
aarvark-dns is missing.
Closes: https://github.com/containers/podman/issues/13412
Signed-off-by: Aditya R <arajan@redhat.com>
When we have the host-local ipam plugin we can support internal for
macvlan networks. In this case we just do not add the default route.
Since we cannot control this for dhcp we do not support internal there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In commit 60766b5e5e I forgot to add the field here, without this the
config field from containers.conf is not used in backend.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we create a bridge network and no subnet is given we will a free
one automatically. The current logic just took the first free /24
network after 10.89.0.0. Now we will instead use the default subnet pool
from containers.conf. The default value is still the same but users can
change it if they want. This also fixes a problem where podman network
create could pick a public ipv4 network when all 10.0.0.0/8 networks
were already used. Now it will error if no free subnet is found in the
subnet pools.
Fixes#930
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
NextSubnet() has to work for more than a, b, c class networks. We also
have to increment arbitrary subnets when we add support for a new config
field where users can specify this.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This file should not be tracked in git. To prevent coverprofile from
being added in the future we also add it to gitignore.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since a internal network has no connectivity to the outside we should
not add a default route. Also make sure to not add the default route
more than once for ipv4/ipv6.
Ref containers/podman#13153
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
netavark + aardvark support this when we add a gateway ip to the config
so that aardvark can use this address to bind on it.
We only add the gateway when not internal or when dns is enabled. If
internal without dns we do not need the gw address.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we create a macvlan network we should not check if the subnet is
already in use on the host since this is expected for macvlan networks.
Only bridge networks should use this check.
Fixescontainers/podman#12971
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Tells netavark if invocation is for `rootful` or `rootless`
containers.
* Pass `tmpfs` based runRoot to netavark so it can write/read configs
from there.
Signed-off-by: Aditya R <arajan@redhat.com>
Since the network namespace is shared for all rootful libpod instances
we also need to make sure to use the same network config dir and run dir
to ensure that we do not use the same subnet or ip for more than one
container.
Also update the documentation about the network_config_dir field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the dhcp ipam driver is used podman does not know any subnets so we
cannot verify if the given static ip is in the subnet.
Fixescontainers/podman#12762
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is possible that two processes write at the same time and this could
lead to an invalid value in the file.
I think this fixes a race condition which was observed in the buildah
integration tests.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
While we can store the default network name outside this network
interface it can become out of sync with the interface.
In buildah it can be useful to get the name from the interface.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The HardwareAddr type must bbe the actual value and not a pointer
otherwise the marshal logic will not use this function. Added a test to
confirm that this works.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We should not use XDG_RUNTIME_DIR for the ipam db. This directory is
shared but we need the ipam db per storage. We can use the runroot for
this. It should be a tmpfs to reset the ipam assignments after a reboot.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the caller can decide the lockfile path it is just more likely that
there is a lock missmatch due different lock names. We should always
just use the config dir and use a lock with a static name.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the network backend is unset in the config we have to to figure out
if we need CNI or netavark. New installs should use netavark while
existing installs should continue to use CNI to prevent breaking
systems.
We use the following conditions to determine what backend to use:
1. read ${graphroot}/defaultNetworkBackend
2. find netavark binary (if not installed use CNI)
3. check containers, images and CNI networks and if there are some
we have an existing install and should continue to use CNI
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Copy the libpod/network packages from podman to here so we can use the
same code in buildah as well.
This is mostly a one to one copy only the import paths have been changed
and some errors were added.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Gregor Eichelberger