-
Notifications
You must be signed in to change notification settings - Fork 85
/
aardvark.rs
469 lines (426 loc) · 16.9 KB
/
aardvark.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
use crate::error::{NetavarkError, NetavarkResult};
use fs2::FileExt;
use libc::pid_t;
use nix::sys::signal::{self, Signal};
use nix::unistd::Pid;
use std::ffi::{OsStr, OsString};
use std::fs;
use std::fs::File;
use std::fs::OpenOptions;
use std::io::Result;
use std::io::{prelude::*, ErrorKind};
use std::net::Ipv4Addr;
use std::net::{IpAddr, Ipv6Addr};
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
const SYSTEMD_CHECK_PATH: &str = "/run/systemd/system";
const SYSTEMD_RUN: &str = "systemd-run";
const AARDVARK_COMMIT_LOCK: &str = "aardvark.lock";
#[derive(Clone, Debug)]
pub struct AardvarkEntry<'a> {
pub network_name: &'a str,
pub network_gateways: Vec<IpAddr>,
pub network_dns_servers: &'a Option<Vec<IpAddr>>,
pub container_id: &'a str,
pub container_ips_v4: Vec<Ipv4Addr>,
pub container_ips_v6: Vec<Ipv6Addr>,
pub container_names: Vec<String>,
pub container_dns_servers: &'a Option<Vec<IpAddr>>,
pub is_internal: bool,
}
#[derive(Debug, Clone)]
pub struct Aardvark {
/// aardvark's config directory
pub config: PathBuf,
/// tells if container is rootfull or rootless
pub rootless: bool,
/// path to the aardvark-dns binary
pub aardvark_bin: OsString,
/// port to bind to
pub port: OsString,
}
impl Aardvark {
pub fn new(config: PathBuf, rootless: bool, aardvark_bin: OsString, port: u16) -> Self {
Aardvark {
config,
rootless,
aardvark_bin,
port: port.to_string().into(),
}
}
/// On success returns aardvark server's pid or returns -1;
fn get_aardvark_pid(&self) -> NetavarkResult<pid_t> {
let path = Path::new(&self.config).join("aardvark.pid");
let pid: i32 = match fs::read_to_string(path) {
Ok(content) => match content.parse::<pid_t>() {
Ok(val) => val,
Err(e) => {
return Err(NetavarkError::msg(format!("parse aardvark pid: {e}")));
}
},
Err(e) => {
return Err(NetavarkError::Io(e));
}
};
Ok(pid)
}
fn is_executable_in_path(program: &str) -> bool {
if let Ok(path) = std::env::var("PATH") {
for p in path.split(':') {
let p_str = format!("{p}/{program}");
if fs::metadata(p_str).is_ok() {
return true;
}
}
}
false
}
pub fn start_aardvark_server(&self) -> Result<()> {
log::debug!("Spawning aardvark server");
let mut aardvark_args = vec![];
// only use systemd when it is booted, see sd_booted(3)
if Path::new(SYSTEMD_CHECK_PATH).exists() && Aardvark::is_executable_in_path(SYSTEMD_RUN) {
// TODO: This could be replaced by systemd-api.
aardvark_args = vec![
OsStr::new(SYSTEMD_RUN),
OsStr::new("-q"),
OsStr::new("--scope"),
];
if self.rootless {
aardvark_args.push(OsStr::new("--user"));
}
}
aardvark_args.extend(vec![
self.aardvark_bin.as_os_str(),
OsStr::new("--config"),
self.config.as_os_str(),
OsStr::new("-p"),
self.port.as_os_str(),
OsStr::new("run"),
]);
log::debug!("start aardvark-dns: {:?}", aardvark_args);
// After https://github.com/containers/aardvark-dns/pull/148 this command
// will block till aardvark-dns's parent process returns back and let
// aardvark inherit all the fds.
let out = Command::new(aardvark_args[0])
.args(&aardvark_args[1..])
.stdin(Stdio::null())
.stdout(Stdio::null())
// set RUST_LOG for aardvark
.env("RUST_LOG", log::max_level().as_str())
.output()?;
if out.status.success() {
return Ok(());
}
if out.stderr.is_empty() {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
"aardvark-dns exited unexpectedly without error message",
));
}
// aardvark-dns failed capture stderr
let msg = String::from_utf8(out.stderr).map_err(|e| {
std::io::Error::new(
std::io::ErrorKind::Other,
format!("failed to parse aardvark-dns stderr message: {e}"),
)
})?;
Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("aardvark-dns failed to start: {}", msg.trim()),
))
}
fn check_netns(&self, pid: pid_t) {
// This should never fail but ignore errors anyway
let cur_ns = match fs::read_link("/proc/self/ns/net") {
Ok(p) => p,
Err(_) => return,
};
// This might fail
let aardvark_ns = match fs::read_link(format!("/proc/{pid}/ns/net")) {
Ok(p) => p,
// In case of errors ignore them and do not warn. When the process is exiting then
// several different errors can happen. I have observed ENOENT, ESRCH and EACCES so
// to be safe just ignore all errors as this warning here is just best effort anyway.
// https://github.com/containers/podman/issues/22103
Err(_) => return,
};
if aardvark_ns != cur_ns {
// netns does not match, this means dns will not work.
// see https://github.com/containers/podman/issues/20396 for how that might happen
// We do not not really what the problem in the aardvark-dns config files so we
// cannot really self heal here and must ask the user to fix it.
// I am not sure if this should be a hard error??
log::error!(
"aardvark-dns runs in a different netns, dns will not work for this container. To resolve please stop all containers, kill the aardvark-dns process, remove the {} directory and then start the containers again",
self.config.display()
);
}
}
pub fn notify(&self, start: bool, is_update: bool) -> NetavarkResult<()> {
match self.get_aardvark_pid() {
Ok(pid) => {
match signal::kill(Pid::from_raw(pid), Signal::SIGHUP) {
Ok(_) => {
// We do not want to check the netns when doing an update
// this is not working because podman does not enter the
// rootless netns for the update as we only change the file
// and send SIGHUP.
if !is_update {
self.check_netns(pid)
}
return Ok(());
}
Err(err) => {
// ESRCH == process does not exists
// start new sever below in that case and not error
if err != nix::errno::Errno::ESRCH {
return Err(NetavarkError::msg(format!(
"failed to send SIGHUP to aardvark: {err}"
)));
}
}
}
}
Err(err) => {
if !start {
return Err(NetavarkError::wrap("failed to get aardvark pid", err));
}
}
};
self.start_aardvark_server()?;
Ok(())
}
pub fn commit_entries(&self, entries: &[AardvarkEntry]) -> Result<()> {
// Acquire fs lock to ensure other instance of aardvark cannot commit
// or start aardvark instance till already running instance has not
// completed its `commit` phase.
let lockfile_path = Path::new(&self.config)
.join("..")
.join(AARDVARK_COMMIT_LOCK);
let lockfile = match OpenOptions::new()
.read(true)
.write(true)
.create(true)
.truncate(true)
.open(&lockfile_path)
{
Ok(file) => file,
Err(e) => {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("Failed to open/create lockfile {:?}: {}", &lockfile_path, e),
));
}
};
if let Err(er) = lockfile.lock_exclusive() {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("Failed to acquire exclusive lock on {lockfile_path:?}: {er}"),
));
}
for entry in entries {
let mut path = Path::new(&self.config).join(entry.network_name);
if entry.is_internal {
let new_path = Path::new(&self.config).join(entry.network_name.to_owned() + "%int");
let _ = std::fs::rename(&path, &new_path);
path = new_path;
}
let file = match OpenOptions::new().write(true).create_new(true).open(&path) {
Ok(mut f) => {
// collect gateway
let gws = entry
.network_gateways
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
// collect network dns servers if specified
let network_dns_servers =
if let Some(network_dns_servers) = &entry.network_dns_servers {
if !network_dns_servers.is_empty() {
let dns_server_collected = network_dns_servers
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
format!(" {dns_server_collected}")
} else {
"".to_string()
}
} else {
"".to_string()
};
let data = format!("{gws}{network_dns_servers}\n");
f.write_all(data.as_bytes())?; // return error if write fails
f
}
Err(ref e) if e.kind() == ErrorKind::AlreadyExists => {
OpenOptions::new().append(true).open(&path)?
}
Err(e) => {
return Err(e);
}
};
match Aardvark::commit_entry(entry, file) {
Err(er) => {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("Failed to commit entry {entry:?}: {er}"),
));
}
Ok(_) => continue,
}
}
Ok(())
}
fn commit_entry(entry: &AardvarkEntry, mut file: File) -> Result<()> {
let container_names = entry.container_names.join(",");
let ipv4s = entry
.container_ips_v4
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
let ipv6s = entry
.container_ips_v6
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
let dns_server = if let Some(dns_servers) = &entry.container_dns_servers {
if !dns_servers.is_empty() {
let dns_server_collected = dns_servers
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
format!(" {dns_server_collected}")
} else {
"".to_string()
}
} else {
"".to_string()
};
let data = format!(
"{} {} {} {}{}\n",
entry.container_id, ipv4s, ipv6s, container_names, dns_server
);
file.write_all(data.as_bytes())?; // return error if write fails
Ok(())
}
pub fn commit_netavark_entries(&self, entries: Vec<AardvarkEntry>) -> NetavarkResult<()> {
if !entries.is_empty() {
self.commit_entries(&entries)?;
match self.notify(true, false) {
Ok(_) => (),
Err(e) => {
if let Err(err) = self.delete_from_netavark_entries(&entries) {
log::warn!(
"Failed to delete aardvark-dns entries after failed start: {err}"
);
};
return Err(e);
}
};
}
Ok(())
}
pub fn delete_entry(&self, container_id: &str, network_name: &str) -> Result<()> {
let mut path = Path::new(&self.config).join(network_name);
if !path.exists() {
path = Path::new(&self.config).join(network_name.to_owned() + "%int");
}
let file_content = fs::read_to_string(&path)?;
let lines: Vec<&str> = file_content.split_terminator('\n').collect();
let mut idx = 0;
let mut file = File::create(&path)?;
for line in lines {
if line.contains(container_id) {
continue;
}
file.write_all(line.as_bytes())?;
file.write_all(b"\n")?;
idx += 1;
}
// nothing left in file (only header), remove it
if idx <= 1 {
fs::remove_file(&path)?
}
Ok(())
}
// Modifies network dns_servers for a specific network and notifies aardvark-dns server
// with the change.
// Note: If no aardvark dns config exists for a network function will return success without
// doing anything, because `podman network update` is applicable for networks even when no
// container is attached to it.
pub fn modify_network_dns_servers(
&self,
network_name: &str,
network_dns_servers: &[String],
) -> NetavarkResult<()> {
let mut dns_servers_modified = false;
let path = Path::new(&self.config).join(network_name);
let file_content = match fs::read_to_string(&path) {
Ok(content) => content,
Err(error) => {
if error.kind() == std::io::ErrorKind::NotFound {
// Most likely `podman network update` was called
// but no container on the network is running hence
// no aardvark file is there in such case return success
// since podman database still got updated and it will be
// populated correctly for the next container.
return Ok(());
} else {
return Err(NetavarkError::Io(error));
}
}
};
let mut file = File::create(&path)?;
//for line in lines {
for (idx, line) in file_content.split_terminator('\n').enumerate() {
if idx == 0 {
// If this is first line, we have to modify this
// first line has a format of `<BINDIP>... <NETWORK_DNSSERVERS>..`
// We will read the first line and get the first column and
// override the second column with new network dns servers.
let network_parts = line.split(' ').collect::<Vec<&str>>();
if network_parts.is_empty() {
return Err(NetavarkError::msg(format!(
"invalid network configuration file: {}",
path.display()
)));
}
let network_dns_servers_collected = if !network_dns_servers.is_empty() {
dns_servers_modified = true;
let dns_server_collected = network_dns_servers
.iter()
.map(|g| g.to_string())
.collect::<Vec<String>>()
.join(",");
format!(" {dns_server_collected}")
} else {
"".to_string()
};
// Modify line to support new format
let content = format!("{}{}", network_parts[0], network_dns_servers_collected);
file.write_all(content.as_bytes())?;
} else {
file.write_all(line.as_bytes())?;
}
file.write_all(b"\n")?;
}
// If dns servers were updated notify the aardvark-dns server
// if refresh is needed.
if dns_servers_modified {
self.notify(false, true)?;
}
Ok(())
}
pub fn delete_from_netavark_entries(&self, entries: &[AardvarkEntry]) -> NetavarkResult<()> {
for entry in entries {
self.delete_entry(entry.container_id, entry.network_name)?;
}
self.notify(false, false)
}
}