From 27de212fe1dce7d93e3985225531886cf7304e37 Mon Sep 17 00:00:00 2001
From: Samuel Ortiz <s.ortiz@apple.com>
Date: Thu, 17 Feb 2022 18:04:22 +0100
Subject: [PATCH] runtime: Always add network endpoints from the pod netns

As the container runtime, we're never inspecting, adding or configuring
host networking endpoints.
Make sure we're always do that by wrapping addSingleEndpoint calls into
the pod network namespace.

Fixes #3661

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>
---
 src/runtime/virtcontainers/network_linux.go | 67 +++++++++++----------
 1 file changed, 35 insertions(+), 32 deletions(-)

diff --git a/src/runtime/virtcontainers/network_linux.go b/src/runtime/virtcontainers/network_linux.go
index 378cd02e00..c4f2380e57 100644
--- a/src/runtime/virtcontainers/network_linux.go
+++ b/src/runtime/virtcontainers/network_linux.go
@@ -178,38 +178,32 @@ func (n *LinuxNetwork) addSingleEndpoint(ctx context.Context, s *Sandbox, netInf
 
 	endpoint.SetProperties(netInfo)
 
-	if err := doNetNS(n.netNSPath, func(_ ns.NetNS) error {
-		networkLogger().WithField("endpoint-type", endpoint.Type()).WithField("hotplug", hotplug).Info("Attaching endpoint")
-		if hotplug {
-			if err := endpoint.HotAttach(ctx, s.hypervisor); err != nil {
-				return err
-			}
-		} else {
-			if err := endpoint.Attach(ctx, s); err != nil {
-				return err
+	networkLogger().WithField("endpoint-type", endpoint.Type()).WithField("hotplug", hotplug).Info("Attaching endpoint")
+	if hotplug {
+		if err := endpoint.HotAttach(ctx, s.hypervisor); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := endpoint.Attach(ctx, s); err != nil {
+			return nil, err
+		}
+	}
+
+	if !s.hypervisor.IsRateLimiterBuiltin() {
+		rxRateLimiterMaxRate := s.hypervisor.HypervisorConfig().RxRateLimiterMaxRate
+		if rxRateLimiterMaxRate > 0 {
+			networkLogger().Info("Add Rx Rate Limiter")
+			if err := addRxRateLimiter(endpoint, rxRateLimiterMaxRate); err != nil {
+				return nil, err
 			}
 		}
-
-		if !s.hypervisor.IsRateLimiterBuiltin() {
-			rxRateLimiterMaxRate := s.hypervisor.HypervisorConfig().RxRateLimiterMaxRate
-			if rxRateLimiterMaxRate > 0 {
-				networkLogger().Info("Add Rx Rate Limiter")
-				if err := addRxRateLimiter(endpoint, rxRateLimiterMaxRate); err != nil {
-					return err
-				}
-			}
-			txRateLimiterMaxRate := s.hypervisor.HypervisorConfig().TxRateLimiterMaxRate
-			if txRateLimiterMaxRate > 0 {
-				networkLogger().Info("Add Tx Rate Limiter")
-				if err := addTxRateLimiter(endpoint, txRateLimiterMaxRate); err != nil {
-					return err
-				}
+		txRateLimiterMaxRate := s.hypervisor.HypervisorConfig().TxRateLimiterMaxRate
+		if txRateLimiterMaxRate > 0 {
+			networkLogger().Info("Add Tx Rate Limiter")
+			if err := addTxRateLimiter(endpoint, txRateLimiterMaxRate); err != nil {
+				return nil, err
 			}
 		}
-
-		return nil
-	}); err != nil {
-		return nil, err
 	}
 
 	n.eps = append(n.eps, endpoint)
@@ -298,10 +292,13 @@ func (n *LinuxNetwork) addAllEndpoints(ctx context.Context, s *Sandbox, hotplug
 			continue
 		}
 
-		_, err = n.addSingleEndpoint(ctx, s, netInfo, hotplug)
-		if err != nil {
+		if err := doNetNS(n.netNSPath, func(_ ns.NetNS) error {
+			_, err = n.addSingleEndpoint(ctx, s, netInfo, hotplug)
+			return err
+		}); err != nil {
 			return err
 		}
+
 	}
 
 	sort.Slice(n.eps, func(i, j int) bool {
@@ -335,8 +332,14 @@ func (n *LinuxNetwork) AddEndpoints(ctx context.Context, s *Sandbox, endpointsIn
 		}
 	} else {
 		for _, ep := range endpointsInfo {
-			if _, err := n.addSingleEndpoint(ctx, s, ep, hotplug); err != nil {
-				n.eps = nil
+			if err := doNetNS(n.netNSPath, func(_ ns.NetNS) error {
+				if _, err := n.addSingleEndpoint(ctx, s, ep, hotplug); err != nil {
+					n.eps = nil
+					return err
+				}
+
+				return nil
+			}); err != nil {
 				return nil, err
 			}
 		}