Skip to content
Permalink
Browse files

Initial usage of python nsenter (#47)

* Initial usage of python nsenter

* Rename for consistency
  • Loading branch information...
johscheuer authored and hacker-h committed Aug 23, 2019
1 parent 4483070 commit ce30cfc5fcd1865c188f1c7fae16d35f3e8da6ca
Showing with 21 additions and 18 deletions.
  1. +2 −2 local_dev/start_containerd.sh
  2. +1 −2 local_dev/start_docker.sh
  3. +18 −14 src/illuminatio/illuminatio_runner.py
@@ -28,7 +28,7 @@ minikube start \
# Setup the minikube docker registry and calico
minikube addons enable registry

if [[ -n ${CI} ]];
if [[ -n "${CI:-}" ]];
then
sudo chown -R travis: /home/travis/.minikube/
fi
@@ -37,7 +37,7 @@ kubectl apply -f "https://docs.projectcalico.org/${CALICO_VERSION}/getting-start
kubectl apply -f local_dev/docker-registry.yml

# Configure containerd to use the local registry
if [[ -n ${CI} ]];
if [[ -n "${CI:-}" ]];
then
sudo mkdir -p /etc/containerd
sudo tee /etc/containerd/config.toml <<EOF
@@ -5,7 +5,6 @@ set -eu
KUBERNETES_VERSION="${KUBERNETES_VERSION:-v1.15.0}"
CALICO_VERSION="${CALICO_VERSION:-v3.8}"


# Setup minikube
minikube delete
minikube start \
@@ -25,7 +24,7 @@ minikube start \
# Setup the minikube docker registry and calico
minikube addons enable registry

if [[ -z ${CI} ]];
if [[ -n "${CI:-}" ]];
then
sudo chown -R travis: /home/travis/.minikube/
fi
@@ -12,6 +12,7 @@
import tempfile
import time
import yaml
from nsenter import Namespace
from illuminatio.host import Host, ConcreteClusterHost
from illuminatio.k8s_util import init_test_output_config_map
import docker
@@ -76,16 +77,17 @@ def filter_from_hosts(from_hosts, pods_on_node):
def run_tests_for_from_pod(from_pod, cases):
from_host_string = from_pod.to_identifier()
runtimes = {}
nsenter_cmd = build_nsenter_cmd_for_pod(from_pod.namespace, from_pod.name)
network_ns = get_network_ns_of_pod(from_pod.namespace, from_pod.name)
# TODO check if network ns is None -> HostNetwork is set
results = {}
for target, ports in cases[from_host_string].items():
start_time = time.time()
results[target] = run_tests_for_target(nsenter_cmd, ports, target)
results[target] = run_tests_for_target(network_ns, ports, target)
runtimes[target] = time.time() - start_time
return results, runtimes


def run_tests_for_target(enter_net_ns_cmd, ports, target):
def run_tests_for_target(network_ns, ports, target):
# resolve host directly here
# https://stackoverflow.com/questions/2805231/how-can-i-do-dns-lookups-in-python-including-referring-to-etc-hosts
logger.info("Target: %s" % target)
@@ -114,11 +116,13 @@ def run_tests_for_target(enter_net_ns_cmd, ports, target):
# remove the need for nmap!
# e.g. https://gist.github.com/betrcode/0248f0fda894013382d7
# nmap that target TODO: handle None ip
# Replace bare nmap call with a better integrated solution like: https://pypi.org/project/python-nmap/ ?
nmap_cmd = ["nmap", "-oX", result_file.name, "-Pn", "-p", port_string, svc_ip]
cmd = enter_net_ns_cmd + nmap_cmd
logger.info("running nmap with cmd %s", cmd)
prc = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if prc.returncode:
logger.info("running nmap with cmd %s", nmap_cmd)
prc = None
with Namespace(network_ns, 'net'):
prc = subprocess.run(nmap_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if prc is None or prc.returncode:
logger.error("Executing nmap in foreign net ns failed! output:")
logger.error(prc.stderr)
logger.debug(prc)
@@ -208,14 +212,15 @@ def get_docker_network_namespace(pod_namespace, pod_name):
return net_ns


def get_network_namespace_from(inspectp_result):
def get_network_namespace(inspectp_result):
js = json.loads(inspectp_result)
net_ns = None
for ns in js["info"]["runtimeSpec"]["linux"]["namespaces"]:
if ns["type"] != "network":
continue
net_ns = ns["path"]
break

return net_ns


@@ -233,11 +238,11 @@ def get_containerd_network_namespace(host_namespace, host_name):
if prc2.returncode:
logger.error("Getting pods network namespace for pod " + str(pod_id) + " failed! output:")
logger.error(prc2.stderr)
net_ns = get_network_namespace_from(prc2.stdout)
return net_ns

return get_network_namespace(prc2.stdout)


def build_nsenter_cmd_for_pod(pod_namespace, pod_name):
def get_network_ns_of_pod(pod_namespace, pod_name):
container_runtime_name = os.environ["CONTAINER_RUNTIME_NAME"]
if container_runtime_name == "containerd":
net_ns = get_containerd_network_namespace(pod_namespace, pod_name)
@@ -246,9 +251,8 @@ def build_nsenter_cmd_for_pod(pod_namespace, pod_name):
else:
# TODO add more runtimes to support
raise ValueError("the container runtime '%s' is not supported" % container_runtime_name)
# make use of https://github.com/zalando/python-nsenter + ns_type netns should be enough
# --> https://github.com/zalando/python-nsenter/blob/master/nsenter/__init__.py#L42-L45
return ["nsenter", "-t", net_ns, "--net", "--"]

return net_ns


def get_pods_on_node():

0 comments on commit ce30cfc

Please sign in to comment.
You can’t perform that action at this time.