From 4f96e3eae37c165ba41e7e49f1b5f4996cc27641 Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Mon, 14 Feb 2022 10:23:34 +0100 Subject: [PATCH] katautils: Pass the nerdctl netns annotation to the OCI hooks We need to let nerdctl know which namespace to use when calling the selected CNI plugin. See https://github.com/containerd/nerdctl/issues/787 Fixes: #1935 Signed-off-by: Samuel Ortiz --- src/runtime/pkg/katautils/create.go | 6 ++++ src/runtime/pkg/katautils/create_test.go | 40 ++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/src/runtime/pkg/katautils/create.go b/src/runtime/pkg/katautils/create.go index 7ecc86301e..d429558f4c 100644 --- a/src/runtime/pkg/katautils/create.go +++ b/src/runtime/pkg/katautils/create.go @@ -155,6 +155,12 @@ func CreateSandbox(ctx context.Context, vci vc.VC, ociSpec specs.Spec, runtimeCo } }() + if ociSpec.Annotations == nil { + ociSpec.Annotations = make(map[string]string) + } + ociSpec.Annotations["nerdctl/network-namespace"] = sandboxConfig.NetworkConfig.NetworkID + sandboxConfig.Annotations["nerdctl/network-namespace"] = ociSpec.Annotations["nerdctl/network-namespace"] + // Run pre-start OCI hooks, in the runtime namespace. if err := PreStartHooks(ctx, ociSpec, containerID, bundlePath); err != nil { return nil, vc.Process{}, err diff --git a/src/runtime/pkg/katautils/create_test.go b/src/runtime/pkg/katautils/create_test.go index 804b4318e7..dab665dce1 100644 --- a/src/runtime/pkg/katautils/create_test.go +++ b/src/runtime/pkg/katautils/create_test.go @@ -264,6 +264,46 @@ func TestCreateSandboxFail(t *testing.T) { assert.True(vcmock.IsMockError(err)) } +func TestCreateSandboxAnnotations(t *testing.T) { + if tc.NotValid(ktu.NeedRoot()) { + t.Skip(ktu.TestDisabledNeedRoot) + } + + assert := assert.New(t) + + tmpdir, bundlePath, _ := ktu.SetupOCIConfigFile(t) + defer os.RemoveAll(tmpdir) + + runtimeConfig, err := newTestRuntimeConfig(tmpdir, testConsole, true) + assert.NoError(err) + + spec, err := compatoci.ParseConfigJSON(bundlePath) + assert.NoError(err) + + rootFs := vc.RootFs{Mounted: true} + + testingImpl.CreateSandboxFunc = func(ctx context.Context, sandboxConfig vc.SandboxConfig) (vc.VCSandbox, error) { + return &vcmock.Sandbox{ + MockID: testSandboxID, + MockContainers: []*vcmock.Container{ + {MockID: testContainerID}, + }, + MockAnnotations: sandboxConfig.Annotations, + }, nil + } + + defer func() { + testingImpl.CreateSandboxFunc = nil + }() + + sandbox, _, err := CreateSandbox(context.Background(), testingImpl, spec, runtimeConfig, rootFs, testContainerID, bundlePath, testConsole, true, true) + assert.NoError(err) + + netNsPath, err := sandbox.Annotations("nerdctl/network-namespace") + assert.NoError(err) + assert.Equal(path.Dir(netNsPath), "/var/run/netns") +} + func TestCheckForFips(t *testing.T) { assert := assert.New(t)