cli: add configuration option to use or not use host netns

If `disable_new_netns` set to true, create VM and shim processes in the host netns

Signed-off-by: Ruidong Cao <caoruidong@huawei.com>

cli/config.go

@@ -108,6 +108,7 @@ type proxy struct {
 type runtime struct {
 	Debug             bool   `toml:"enable_debug"`
 	Tracing           bool   `toml:"enable_tracing"`
+	DisableNewNetNs   bool   `toml:"disable_new_netns"`
 	InterNetworkModel string `toml:"internetworking_model"`
 }
 
@@ -598,9 +599,7 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 		kataLog.Logger.Level = originalLoggerLevel
 	}
 
-	if tomlConf.Runtime.Tracing {
-		tracing = true
-	}
+	tracing = tomlConf.Runtime.Tracing
 
 	if tomlConf.Runtime.InterNetworkModel != "" {
 		err = config.InterNetworkModel.SetModel(tomlConf.Runtime.InterNetworkModel)
@@ -626,6 +625,11 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 		return "", config, err
 	}
 
+	config.DisableNewNetNs = tomlConf.Runtime.DisableNewNetNs
+	if err := checkNetNsConfig(config); err != nil {
+		return "", config, err
+	}
+
 	// use no proxy if HypervisorConfig.UseVSock is true
 	if config.HypervisorConfig.UseVSock {
 		kataLog.Info("VSOCK supported, configure to not use proxy")
@@ -640,6 +644,20 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 	return resolved, config, nil
 }
 
+// checkNetNsConfig performs sanity checks on disable_new_netns config.
+// Because it is an expert option and conflicts with some other common configs.
+func checkNetNsConfig(config oci.RuntimeConfig) error {
+	if config.DisableNewNetNs {
+		if config.NetmonConfig.Enable {
+			return fmt.Errorf("config disable_new_netns conflicts with enable_netmon")
+		}
+		if config.InterNetworkModel != vc.NetXConnectNoneModel {
+			return fmt.Errorf("config disable_new_netns only works with 'none' internetworking_model")
+		}
+	}
+	return nil
+}
+
 // checkHypervisorConfig performs basic "sanity checks" on the hypervisor
 // config.
 func checkHypervisorConfig(config vc.HypervisorConfig) error {

cli/config/configuration.toml.in

@@ -240,3 +240,13 @@ internetworking_model="@DEFNETWORKMODEL@"
 # (See https://www.jaegertracing.io/docs/getting-started).
 # (default: disabled)
 #enable_tracing = true
+
+# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
+# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
+# `disable_new_netns` conflicts with `enable_netmon`
+# `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only
+# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
+# (like OVS) directly.
+# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
+# (default: false)
+#disable_new_netns = true

cli/kata-env.go

@@ -25,7 +25,7 @@ import (
 //
 // XXX: Increment for every change to the output format
 // (meaning any change to the EnvInfo type).
-const formatVersion = "1.0.18"
+const formatVersion = "1.0.19"
 
 // MetaInfo stores information on the format of the output itself
 type MetaInfo struct {
@@ -65,6 +65,7 @@ type RuntimeInfo struct {
 	Version         RuntimeVersionInfo
 	Config          RuntimeConfigInfo
 	Debug           bool
+	DisableNewNetNs bool
 	Path            string
 }
 
@@ -175,6 +176,7 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo {
 		Version:         runtimeVersion,
 		Config:          runtimeConfig,
 		Path:            runtimePath,
+		DisableNewNetNs: config.DisableNewNetNs,
 	}
 }
 

cli/network.go

@@ -336,6 +336,11 @@ func hostNetworkingRequested(configNetNs string) (bool, error) {
 }
 
 func setupNetworkNamespace(config *vc.NetworkConfig) error {
+	if config.DisableNewNetNs {
+		kataLog.Info("DisableNewNetNs is on, shim and hypervisor are running in the host netns")
+		return nil
+	}
+
 	if config.NetNSPath == "" {
 		n, err := ns.NewNS()
 		if err != nil {

virtcontainers/default_network.go

@@ -7,7 +7,6 @@ package virtcontainers
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	opentracing "github.com/opentracing/opentracing-go"
@@ -35,10 +34,6 @@ func (n *defNetwork) run(networkNSPath string, cb func() error) error {
 	span, _ := n.trace(context.Background(), "run")
 	defer span.Finish()
 
-	if networkNSPath == "" {
-		return fmt.Errorf("networkNSPath cannot be empty")
-	}
-
 	return doNetNS(networkNSPath, func(_ ns.NetNS) error {
 		return cb()
 	})

virtcontainers/network.go

@@ -148,6 +148,7 @@ type NetworkInterfacePair struct {
 type NetworkConfig struct {
 	NetNSPath         string
 	NetNsCreated      bool
+	DisableNewNetNs   bool
 	NetmonConfig      NetmonConfig
 	InterworkingModel NetInterworkingModel
 }

virtcontainers/pkg/oci/utils.go

@@ -121,6 +121,9 @@ type RuntimeConfig struct {
 	InterNetworkModel vc.NetInterworkingModel
 	FactoryConfig     FactoryConfig
 	Debug             bool
+
+	//Determines if create a netns for hypervisor process
+	DisableNewNetNs bool
 }
 
 // AddKernelParam allows the addition of new kernel parameters to an existing
@@ -326,6 +329,7 @@ func networkConfig(ocispec CompatOCISpec, config RuntimeConfig) (vc.NetworkConfi
 		}
 	}
 	netConf.InterworkingModel = config.InterNetworkModel
+	netConf.DisableNewNetNs = config.DisableNewNetNs
 
 	netConf.NetmonConfig = vc.NetmonConfig{
 		Path:   config.NetmonConfig.Path,

virtcontainers/sandbox.go

@@ -1021,6 +1021,10 @@ func (s *Sandbox) startNetworkMonitor() error {
 }
 
 func (s *Sandbox) createNetwork() error {
+	if s.config.NetworkConfig.DisableNewNetNs {
+		return nil
+	}
+
 	span, _ := s.trace("createNetwork")
 	defer span.Finish()