Closes cri-o#3914 [FEAT] Add new parameter disable_hostport_mapping i…

…n CRI-O Signed-off-by: T K Chandra Hasan <t.k.chandra.hasan@ibm.com>
hasan4791 · Feb 5, 2023 · 85671dd · 85671dd
1 parent 6e861a8
commit 85671dd
Show file tree

Hide file tree

Showing 12 changed files with 83 additions and 1 deletion.
diff --git a/completions/bash/crio b/completions/bash/crio
@@ -44,6 +44,7 @@ h
 --default-transport
 --default-ulimits
 --device-ownership-from-security-context
+--disable-hostport-mapping
 --drop-infra-ctr
 --enable-criu-support
 --enable-metrics

diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish
@@ -49,6 +49,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l default-sysctls -r -d 'Sys
 complete -c crio -n '__fish_crio_no_subcommand' -f -l default-transport -r -d 'A prefix to prepend to image names that cannot be pulled as-is.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l default-ulimits -r -d 'Ulimits to apply to containers by default (name=soft:hard).'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l device-ownership-from-security-context -d 'Set devices\' uid/gid ownership from runAsUser/runAsGroup.'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l disable-hostport-mapping -d 'If true, CRI-O would disable the hostport mapping.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l drop-infra-ctr -d 'Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-criu-support -d 'Enable CRIU integration, requires that the criu binary is available in $PATH.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-metrics -d 'Enable metrics endpoint for the server on localhost:9090.'

diff --git a/completions/zsh/_crio b/completions/zsh/_crio
@@ -51,6 +51,7 @@ it later with **--config**. Global options will modify the output.'
         '--default-transport'
         '--default-ulimits'
         '--device-ownership-from-security-context'
+        '--disable-hostport-mapping'
         '--drop-infra-ctr'
         '--enable-criu-support'
         '--enable-metrics'

diff --git a/docs/crio.8.md b/docs/crio.8.md
@@ -42,6 +42,7 @@ crio
 [--default-transport]=[value]
 [--default-ulimits]=[value]
 [--device-ownership-from-security-context]
+[--disable-hostport-mapping]
 [--drop-infra-ctr]
 [--enable-criu-support]
 [--enable-metrics]
@@ -213,6 +214,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--device-ownership-from-security-context**: Set devices' uid/gid ownership from runAsUser/runAsGroup.
 
+**--disable-hostport-mapping**: If true, CRI-O would disable the hostport mapping.
+
 **--drop-infra-ctr**: Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace.
 
 **--enable-criu-support**: Enable CRIU integration, requires that the criu binary is available in $PATH.

diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -293,6 +293,9 @@ the container runtime configuration.
 **enable_pod_events**=false
 Enable CRI-O to generate the container pod-level events in order to optimize the performance of the Pod Lifecycle Event Generator (PLEG) module in Kubelet.
 
+**disable_hostport_mapping**=false
+ Enable/Disable the container hostport mapping in CRI-O. Default value is set to 'false'.
+
 ### CRIO.RUNTIME.RUNTIMES TABLE
 The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  The runtime to use is picked based on the runtime handler provided by the CRI.  If no runtime handler is provided, the runtime will be picked based on the level of trust of the workload. This option supports live configuration reload. This option supports live configuration reload.
 

diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go
@@ -389,6 +389,9 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 	if ctx.IsSet("enable-pod-events") {
 		config.EnablePodEvents = ctx.Bool("enable-pod-events")
 	}
+	if ctx.IsSet("disable-hostport-mapping") {
+		config.DisableHostPortMapping = ctx.Bool("disable-hostport-mapping")
+	}
 	return nil
 }
 
@@ -1083,6 +1086,12 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			Usage:   "If true, CRI-O starts sending the container events to the kubelet",
 			EnvVars: []string{"ENABLE_POD_EVENTS"},
 		},
+		&cli.BoolFlag{
+			Name:    "disable-hostport-mapping",
+			Usage:   "If true, CRI-O would disable the hostport mapping.",
+			EnvVars: []string{"DISABLE_HOSTPORT_MAPPING"},
+			Value:   defConf.DisableHostPortMapping,
+		},
 	}
 }
 

diff --git a/internal/hostport/noop_hostport_manager.go b/internal/hostport/noop_hostport_manager.go
@@ -0,0 +1,22 @@
+package hostport
+
+import "github.com/sirupsen/logrus"
+
+// This interface implements, when hostport mapping is disabled in CRI-O
+type noopHostportManager struct{}
+
+// NewNoopHostportManager creates a new HostPortManager
+func NewNoopHostportManager() HostPortManager {
+	logrus.Info("HostPort Mapping is Disabled in CRI-O")
+	return &noopHostportManager{}
+}
+
+func (mh *noopHostportManager) Add(id string, podPortMapping *PodPortMapping, natInterfaceName string) error {
+	logrus.Debug("HostPort Mapping is Disabled in CRI-O")
+	return nil
+}
+
+func (mh *noopHostportManager) Remove(id string, podPortMapping *PodPortMapping) error {
+	logrus.Debug("HostPort Mapping is Disabled in CRI-O")
+	return nil
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -436,6 +436,10 @@ type RuntimeConfig struct {
 
 	// namespaceManager is the internal NamespaceManager configuration
 	namespaceManager *nsmgr.NamespaceManager
+
+	// Option to disable hostport mapping in CRI-O
+	// Default value is 'false'
+	DisableHostPortMapping bool `toml:"disable_hostport_mapping"`
 }
 
 // ImageConfig represents the "crio.image" TOML config table.
@@ -820,6 +824,7 @@ func DefaultConfig() (*Config, error) {
 			namespaceManager:           nsmgr.New(defaultNamespacesDir, ""),
 			rdtConfig:                  rdt.New(),
 			ulimitsConfig:              ulimits.New(),
+			DisableHostPortMapping:     false,
 		},
 		ImageConfig: ImageConfig{
 			DefaultTransport: "docker://",

diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -445,6 +445,11 @@ func initCrioTemplateConfig(c *Config) ([]*templateConfigValue, error) {
 			group:          crioRuntimeConfig,
 			isDefaultValue: WorkloadsEqual(dc.Workloads, c.Workloads),
 		},
+		{
+			templateString: templateStringCrioRuntimeDisableHostPortMapping,
+			group:          crioRuntimeConfig,
+			isDefaultValue: simpleEqual(dc.DisableHostPortMapping, c.DisableHostPortMapping),
+		},
 		{
 			templateString: templateStringCrioImageDefaultTransport,
 			group:          crioImageConfig,
@@ -1240,6 +1245,13 @@ const templateStringCrioRuntimeWorkloads = `# The workloads table defines ways t
 {{ end }}
 `
 
+const templateStringCrioRuntimeDisableHostPortMapping = `# disable_hostport_mapping determines whether to enable/disable
+# the container hostport mapping in CRI-O.
+# Default value is set to 'false'
+{{ $.Comment }}disable_hostport_mapping = {{ .DisableHostPortMapping }}
+
+`
+
 const templateStringCrioImage = `# The crio.image table contains settings pertaining to the management of OCI images.
 #
 # CRI-O reads its configured registries defaults from the system wide

diff --git a/server/server.go b/server/server.go
@@ -424,7 +424,13 @@ func New(
 		return nil, err
 	}
 
-	hostportManager := hostport.NewMetaHostportManager()
+	// Check for hostport mapping
+	var hostportManager hostport.HostPortManager
+	if config.RuntimeConfig.DisableHostPortMapping {
+		hostportManager = hostport.NewNoopHostportManager()
+	} else {
+		hostportManager = hostport.NewMetaHostportManager()
+	}
 
 	idMappings, err := getIDMappings(config)
 	if err != nil {

diff --git a/server/server_test.go b/server/server_test.go
@@ -219,6 +219,14 @@ var _ = t.Describe("Server", func() {
 			mockNewServer()
 			serverConfig.StreamIdleTimeout = "200ms"
 
+			server, err := server.New(context.Background(), libMock)
+			Expect(err).To(BeNil())
+			Expect(server).ToNot(BeNil())
+		})
+		It("should succeed with hostport mapping disabled", func() {
+			mockNewServer()
+			serverConfig.RuntimeConfig.DisableHostPortMapping = true
+
 			server, err := server.New(context.Background(), libMock)
 			Expect(err).To(BeNil())
 			Expect(server).ToNot(BeNil())

diff --git a/test/config.bats b/test/config.bats
@@ -119,3 +119,14 @@ EOF
 	# then
 	"$CRIO_BINARY_PATH" -c "$TESTDIR"/workload.conf -d "" config
 }
+
+@test "config dir should fail with invalid disable_hostport_mapping option" {
+	# given
+	printf '[crio.runtime]\ndisable_hostport_mapping = false\n' > "$CRIO_CONFIG"
+	printf '[crio.runtime]\ndisable_hostport_mapping = "no"\n' > "$CRIO_CONFIG_DIR"/00-default
+
+	# when
+	run "$CRIO_BINARY_PATH" -c "$CRIO_CONFIG" -d "$CRIO_CONFIG_DIR"
+	# then
+	[ "$status" -ne 0 ]
+}