this prevents the error to be lost which was causing the
panic while accesing a nil var.
Fix#830
Signed-off-by: Marcelo Guerrero Viveros <marguerr@redhat.com>
This commit updates the import of ginkgo to v2 in
all of the tests.
Signed-off-by: liornoy <lnoy@redhat.com>
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
This PR adds a plugin to create tap devices.
The plugin adds a tap device to the container.
The plugin has a workaround for a golang netlink library
which does not allow for tap devices with no owner/group
to be created. When no tap owner/group is requested, the
plugin will fall back to using the ip tool for creating
the tap device. A fix to the golang netlink lib is pending.
Signed-off-by: mmirecki <mmirecki@redhat.com>
It was noticed that, sometimes, the mac of the host-side of the veth
changes after setting up the bridge. So, just refresh it.
Fixes: #805
Signed-off-by: Casey Callendrello <c1@caseyc.net>
Previously, the Allocate method of the daemon always created a new Lease
object. However, as both the CNI ADD and CHECK commands call Allocate,
and CHECK can be called multiple times, this resulted in multiple Lease
objects being created per pod.
Each of these leases was long lived with its own maintain() loop -
however the daemon only kept track of the most recent one, meaning any
old lease objects remained running forever (and held open their NetNS
files). After a long enough period, this resulted in the system crashing
out with "too many files" or a similar error limits-related error.
This commit updates the behaviour of Allocate() to first check if a
Lease already exists for the given clientID. If none is found, one is
created as before. If a Lease is found, a new Check() mechanism is
called, which simply wakes up the maintain() loop to cause it to check
the status of the lease.
This may fix#329.
Signed-off-by: Emily Shepherd <emily@redcoat.dev>
GitHub Actions recently updated ubuntu-latest to 22.04 [1], which now
defaults to nfttables (rather than iptables-legacy) [2]. The portmap
tests in this project are written with the expectation that expected
error message for one test is in the iptables-legacy format.
This commit updates the check to make it work for both the
iptables-legecy and iptables-nftables variants.
References:
[1]: 4aba37bd3b
[2]: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-22-04-lts
Signed-off-by: Emily Shepherd <emily@redcoat.dev>
This commit changes the order of substituting sysctl path to first handle
. to / change, before substituting the interface name.
This is needed as vlan interfaces have a . in the name, which should not
be changed.
Signed-off-by: mmirecki <mmirecki@redhat.com>
These were previously left intact, even when exiting gracefully. As the
daemon also fails if the socket already exists, it became the caller's
responsibilityto check for and cleanup old socket files when performing
graceful / deliberate restarts.
Signed-off-by: Emily Shepherd <emily@redcoat.dev>
Leverages the Linux dummy interface type to create network interfaces
that permists routing packets through the Linux kernel without
them being transmitted.
This solution allows use of arbitrary non-loopback IP addresses within
the container.
Related to #466
Signed-off-by: Mircea Iordache-Sica <mircea@arista.com>
Currently, hostname is set in the original DHCPREQUEST but not the
renewal. With some DHCP server implementations (such as FreeBSD dhcpd),
this leads to the hostname being cleared in the lease table.
This behavior is inconsistent with other DHCP clients such as dhclient
which set the hostname on the renewal request as well. To fix, use the
same options for acquire and renew.
This is compatible with RFC 2131 (see table 5).
Signed-off-by: Akhil Velagapudi <4@4khil.com>
Previously, the bridge plugin ignored DNS settings returned
from an IPAM plugin (e.g. the host-local plugin parsing
resolv.conf to configure DNS). With this change, the bridge plugin
uses IPAM DNS settings.
Similarly to #388, this change will use incoming DNS settings if set,
otherwise IPAM plugin returned DNS settings
Signed-off-by: Kern Walster <walster@amazon.com>
This PR bring V2 API support into win-overlay CNI. With the current V1
API, only docker runtime works for win-overlay. By bringing new changes, we
should be able to use containerd as the runtime.Below are the key
points regarding this implementation.
1. Clear seperation for V1 & V2 API support
2. New cni.conf sample that works for win-overlay
Signed-off-by: selansen <esiva@redhat.com>
Signed-off-by: mansikulkarni96 <mankulka@redhat.com>
The client id was constructed differently in the acquire
function compared to the release and renew functions,
which caused the dhcp-server to consider it a different client.
This is now encapsulated in a common function.
Signed-off-by: Fabian Wiesel <fabian.wiesel@sap.com>
checkPorts would return nil rather than an error if the per-container
DNAT chain didn't exist, meaning CHECK would erroneously return
success rather than failure.
chain.check() already (correctly) checks that the chain exists, so
there's no need to do it separately before calling that anyway.
Signed-off-by: Dan Winship <danwinship@redhat.com>
This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin.
The supported values are `open` and `same-bridge`.
- `open` is the default and does NOP.
- `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2"
that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and
"DOCKER-ISOLATION-STAGE-2" rules.
e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is
connected to bridge `cni2`, the `same-bridge` ingress policy disallows
communications between `ns1` and `ns3`, while allowing communications
between `ns1` and `ns2`.
Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules.
The `same-bridge` ingress policy is expected to be used in conjunction
with `bridge` plugin. May not work as expected with other "main" plugins.
It should be also noted that the `same-bridge` ingress policy executes
raw `iptables` commands directly, even when the `backend` is set to `firewalld`.
We could potentially use the "direct" API of firewalld [1] to execute
iptables via firewalld, but it doesn't seem to have a clear benefit over just directly
executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the `portmap` plugin)
[1] https://firewalld.org/documentation/direct/options.html
This commit replaces the `isolation` plugin proposal (issue 573, PR 574).
The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 ,
but `same-network` was renamed to `same-bridge` then.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If an interface is not configured with IPAM (because it functions at
layer 2), it will not be brought up otherwise.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
First byte of client ID is type, instead of value. See this from
RFC2132:
Code Len Type Client-Identifier
+-----+-----+-----+-----+-----+---
| 61 | n | t1 | i1 | i2 | ...
+-----+-----+-----+-----+-----+---
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
Almost every first retry of DHCP will fail due to interface is not up. Add a
fast retry to reduce unnecessary latency.
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
Any traffic that exits the pod is checked against the source mac address
that is expected. If the mac address is different, the frames are
dropped.
The implementation is using nftables and should only be used on nodes
that support it.
Signed-off-by: Edward Haas <edwardh@redhat.com>
With this patch, when the IPs are provisioned via CNI args or via
`RuntimeConfig` the CIDR is only parsed once.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit addresses the scenarios when the invalid CIDR is
provisioned via:
- CNI_ARGS
- RuntimeConfig
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Controlling the mac address of the interface (veth peer) in the
container is useful for functionalities that depend on the mac address.
Examples range from dynamic IP allocations based on an identifier (the
mac) and up to firewall rules (e.g. no-mac-spoofing).
Enforcing a mac address at an early stage and not through a chained
plugin assures the configuration does not have wrong intermediate
configuration. This is especially critical when a dynamic IP may be
provided already in this period.
But it also has implications for future abilities that may land on the
bridge plugin, e.g. supporting no-mac-spoofing.
The field name used (`mac`) fits with other plugins which control the
mac address of the container interface.
The mac address may be specified through the following methods:
- CNI_ARGS
- Args
- RuntimeConfig [1]
The list is ordered by priority, from lowest to higher. The higher
priority method overrides any previous settings.
(e.g. if the mac is specified in RuntimeConfig, it will override any
specifications of the mac mentioned in CNI_ARGS or Args)
[1] To use RuntimeConfig, the network configuration should include the
`capabilities` field with `mac` specified (`"capabilities": {"mac": true}`).
Signed-off-by: Edward Haas <edwardh@redhat.com>
Now that the flannel CNI plugin has been moved to
https://github.com/flannel-io/cni-plugin, we should remove it from here.
Signed-off-by: Casey Callendrello <cdc@redhat.com>
- support v2 api
- unify v1 and v2 api
BREAKING CHANGE:
- remove `HcnPolicyArgs` field
- merge `HcnPolicyArgs` into `Policies` field
Signed-off-by: thxcode <thxcode0824@gmail.com>
Check tableID not in use for every ipCfg
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes#581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
Since the CNI Spec bump to v1.0 the tuning plugin no longer updates the
mac address in the cni result for 0.4.0 or below configs. I don't think
this ever worked when the cni result was converted to a different version.
A test has been added to ensure it is working for all spec versions.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
This adds support to allow the tuning plugin to enable/disable the
allmulticast mode of the interface. When enabled it instructs the
network driver to retrieve all multicast packets from the network.
Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
Move default table routes which match the ipCfg config
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes#581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
