1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
From e6b3528acff10fb2bc62e2da0c3754f1e36cbd54 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 5 Jun 2024 10:04:59 +0800
Subject: [PATCH 105/108] start sandbox before setup network by default
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/daemon/common/cri/cri_helpers.cc | 12 +++++++
src/daemon/common/cri/cri_helpers.h | 3 ++
.../cri_pod_sandbox_manager_service.cc | 34 +++++++++++++------
src/daemon/modules/spec/specs.c | 2 +-
src/utils/cutils/utils_file.c | 2 +-
5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/src/daemon/common/cri/cri_helpers.cc b/src/daemon/common/cri/cri_helpers.cc
index 68d569cc..8117403c 100644
--- a/src/daemon/common/cri/cri_helpers.cc
+++ b/src/daemon/common/cri/cri_helpers.cc
@@ -47,6 +47,8 @@ const std::string Constants::DOCKER_IMAGEID_PREFIX { "docker://" };
const std::string Constants::DOCKER_PULLABLE_IMAGEID_PREFIX { "docker-pullable://" };
const std::string Constants::RUNTIME_READY { "RuntimeReady" };
const std::string Constants::NETWORK_READY { "NetworkReady" };
+// Kata 2.x need create network namespace and setup network befoce run podsandbox
+const std::string Constants::NETWORK_SETUP_ANNOTATION_KEY { "cri.sandbox.network.setup.v2" };
const std::string Constants::POD_CHECKPOINT_KEY { "cri.sandbox.isulad.checkpoint" };
const std::string Constants::CONTAINER_TYPE_ANNOTATION_KEY { "io.kubernetes.cri.container-type" };
const std::string Constants::CONTAINER_NAME_ANNOTATION_KEY { "io.kubernetes.cri.container-name" };
@@ -1140,4 +1142,14 @@ auto GetPodSELinuxLabelOpts(const std::string &selinuxLabel, Errors &error)
return fmtiSuladOpts(selinuxOpts, securityOptSep);
}
+bool SetupNetworkFirst(const std::map<std::string, std::string> &annotations)
+{
+ auto iter = annotations.find(CRIHelpers::Constants::NETWORK_SETUP_ANNOTATION_KEY);
+ if (iter == annotations.end()) {
+ return false;
+ }
+
+ return iter->second == std::string("true");
+}
+
} // namespace CRIHelpers
diff --git a/src/daemon/common/cri/cri_helpers.h b/src/daemon/common/cri/cri_helpers.h
index 5c450b32..11a80b45 100644
--- a/src/daemon/common/cri/cri_helpers.h
+++ b/src/daemon/common/cri/cri_helpers.h
@@ -49,6 +49,7 @@ public:
static const std::string DOCKER_PULLABLE_IMAGEID_PREFIX;
static const std::string RUNTIME_READY;
static const std::string NETWORK_READY;
+ static const std::string NETWORK_SETUP_ANNOTATION_KEY;
static const std::string POD_CHECKPOINT_KEY;
static const size_t MAX_CHECKPOINT_KEY_LEN { 250 };
static const std::string CONTAINER_TYPE_ANNOTATION_KEY;
@@ -151,6 +152,8 @@ auto GetPodSELinuxLabelOpts(const std::string &selinuxLabel, Errors &error) -> s
auto GetlegacySeccompiSuladOpts(const std::string &seccompProfile, Errors &error) -> std::vector<iSuladOpt>;
auto GetSeccompiSuladOptsByPath(const char *dstpath, Errors &error) -> std::vector<iSuladOpt>;
+
+bool SetupNetworkFirst(const std::map<std::string, std::string> &annotations);
}; // namespace CRIHelpers
#endif // DAEMON_ENTRY_CRI_CRI_HELPERS_H
diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
index af6b5fff..f852f4df 100644
--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
@@ -655,19 +655,33 @@ auto PodSandboxManagerService::RunPodSandbox(const runtime::v1alpha2::PodSandbox
}
}
- // Step 7: Setup networking for the sandbox.
- SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
- if (error.NotEmpty()) {
- goto cleanup_ns;
- }
+ // Step 7: According to the annotation and network namespace mode,
+ // determine the order of start sandbox and setup network.
+ if (CRIHelpers::SetupNetworkFirst(stdAnnos)) {
+ // Step 7.1: Setup networking for the sandbox, and then start the sandbox container.
+ SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
+ if (error.NotEmpty()) {
+ goto cleanup_ns;
+ }
- // Step 8: Start the sandbox container.
- StartSandboxContainer(response_id, error);
- if (error.NotEmpty()) {
- goto cleanup_network;
+ StartSandboxContainer(response_id, error);
+ if (error.NotEmpty()) {
+ goto cleanup_network;
+ }
+ } else {
+ // Step 7.2: (Default)Start the sandbox container, and then setup networking for the sandbox.
+ StartSandboxContainer(response_id, error);
+ if (error.NotEmpty()) {
+ goto cleanup_ns;
+ }
+
+ SetupSandboxNetwork(config, response_id, inspect_data, networkOptions, stdAnnos, network_setting_json, error);
+ if (error.NotEmpty()) {
+ goto cleanup_ns;
+ }
}
- // Step 9: Save network settings json to disk
+ // Step 8: Save network settings json to disk
if (namespace_is_cni(inspect_data->host_config->network_mode)) {
Errors tmpErr;
UpdatePodSandboxNetworkSettings(response_id, network_setting_json, tmpErr);
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index 122f9992..f0538e26 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -1601,7 +1601,7 @@ static int merge_share_network_namespace(const oci_runtime_spec *oci_spec, const
int ret = 0;
char *ns_path = NULL;
- if (host_spec->network_mode == NULL) {
+ if (host_spec->network_mode == NULL || strlen(host_spec->network_mode) == 0) {
return 0;
}
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index 6fc6852d..90bb156f 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -85,7 +85,7 @@ bool util_file_exists(const char *f)
struct stat buf;
int nret;
- if (f == NULL) {
+ if (f == NULL || strlen(f) == 0) {
return false;
}
--
2.25.1
|
