Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable networking for hypervisor based container runtimes #237

Merged
merged 5 commits into from
Dec 13, 2016
Merged

Enable networking for hypervisor based container runtimes #237

merged 5 commits into from
Dec 13, 2016

Commits on Dec 12, 2016

  1. vendor: Add CNI ns package 

    We will need it for our persistent networking
namespace work.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Samuel Ortiz committed Dec 12, 2016
    Configuration menu
    Copy the full SHA
    be3ed3b View commit details
    Browse the repository at this point in the history

  2. sandbox: Use persistent networking namespace 

    Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Samuel Ortiz committed Dec 12, 2016
    Configuration menu
    Copy the full SHA
    4cab8ed View commit details
    Browse the repository at this point in the history

  3. sandbox: Setup networking namespace before sandbox creation 

    In order for hypervisor based container runtimes to be able to
fully prepare their pod virtual machines networking interfaces,
this patch sets the pod networking namespace before creating the
sandbox container.

Once the sandbox networking namespace is prepared, the runtime
can scan the networking namespace interfaces and build the pod VM
matching interfaces (typically TAP interfaces) at pod sandbox
creation time. Not doing so means those runtimes would have to
rely on all hypervisors to support networking interfaces hotplug.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Samuel Ortiz committed Dec 12, 2016
    Configuration menu
    Copy the full SHA
    482eb46 View commit details
    Browse the repository at this point in the history

  4. sandbox: Fix gocyclo complexity 

    With the networking namespace code added, we were reaching a
gocyclo complexitiy of 52. By moving the container creation and
starting code path out, we're back to reasonable levels.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Samuel Ortiz committed Dec 12, 2016
    Configuration menu
    Copy the full SHA
    a9724c2 View commit details
    Browse the repository at this point in the history

  5. sandbox: Create a symbolic link to the networking namespace 

    In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Samuel Ortiz committed Dec 12, 2016
    Configuration menu
    Copy the full SHA
    0df8200 View commit details
    Browse the repository at this point in the history