[v3.0] Add support for rootless network-aliases and static ip/mac

contrib/rootless-cni-infra/Containerfile

@@ -2,7 +2,7 @@ ARG GOLANG_VERSION=1.15
 ARG ALPINE_VERSION=3.12
 ARG CNI_VERSION=v0.8.0
 ARG CNI_PLUGINS_VERSION=v0.8.7
-ARG DNSNAME_VERSION=v1.0.0
+ARG DNSNAME_VERSION=v1.1.1
 
 FROM golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS golang-base
 RUN apk add --no-cache git
@@ -33,4 +33,4 @@ COPY rootless-cni-infra /usr/local/bin
 ENV CNI_PATH=/opt/cni/bin
 CMD ["sleep", "infinity"]
 
-ENV ROOTLESS_CNI_INFRA_VERSION=3
+ENV ROOTLESS_CNI_INFRA_VERSION=5

contrib/rootless-cni-infra/rootless-cni-infra

@@ -21,16 +21,19 @@ wait_unshare_net() {
 	done
 }
 
-# CLI subcommand: "alloc $CONTAINER_ID $NETWORK_NAME $POD_NAME"
+# CLI subcommand: "alloc $CONTAINER_ID $NETWORK_NAME $POD_NAME $IP $MAC $CAP_ARGS"
 cmd_entrypoint_alloc() {
-	if [ "$#" -ne 3 ]; then
-		echo >&2 "Usage: $ARG0 alloc CONTAINER_ID NETWORK_NAME POD_NAME"
+	if [ "$#" -ne 6 ]; then
+		echo >&2 "Usage: $ARG0 alloc CONTAINER_ID NETWORK_NAME POD_NAME IP MAC CAP_ARGS"
 		exit 1
 	fi
 
 	ID="$1"
 	NET="$2"
 	K8S_POD_NAME="$3"
+	IP="$4"
+	MAC="$5"
+	CAP_ARGS="$6"
 
 	dir="${BASE}/${ID}"
 	mkdir -p "${dir}/attached" "${dir}/attached-args"
@@ -46,9 +49,18 @@ cmd_entrypoint_alloc() {
 		nsenter -t "${pid}" -n ip link set lo up
 	fi
 	CNI_ARGS="IgnoreUnknown=1;K8S_POD_NAME=${K8S_POD_NAME}"
+	if [ "$IP" ]; then
+		CNI_ARGS="$CNI_ARGS;IP=${IP}"
+	fi
+	if [ "$MAC" ]; then
+		CNI_ARGS="$CNI_ARGS;MAC=${MAC}"
+	fi
+	if [ "$CAP_ARGS" ]; then
+		CAP_ARGS="$CAP_ARGS"
+	fi
 	nwcount=$(find "${dir}/attached" -type f | wc -l)
 	CNI_IFNAME="eth${nwcount}"
-	export CNI_ARGS CNI_IFNAME
+	export CNI_ARGS CNI_IFNAME CAP_ARGS
 	cnitool add "${NET}" "/proc/${pid}/ns/net" >"${dir}/attached/${NET}"
 	echo "${CNI_ARGS}" >"${dir}/attached-args/${NET}"
 

libpod/rootless_cni_linux.go

@@ -25,7 +25,7 @@ import (
 
 // Built from ../contrib/rootless-cni-infra.
 var rootlessCNIInfraImage = map[string]string{
-	"amd64": "quay.io/libpod/rootless-cni-infra@sha256:304742d5d221211df4ec672807a5842ff11e3729c50bc424ea0cea858f69d7b7", // 3-amd64
+	"amd64": "quay.io/libpod/rootless-cni-infra@sha256:adf352454666f7ce9ca3e1098448b5ee18f89c4516471ec99447ec9ece917f36", // 5-amd64
 }
 
 const (
@@ -58,9 +58,33 @@ func AllocRootlessCNI(ctx context.Context, c *Container) (ns.NetNS, []*cnitypes.
 		return nil, nil, err
 	}
 	k8sPodName := getCNIPodName(c) // passed to CNI as K8S_POD_NAME
+	ip := ""
+	if c.config.StaticIP != nil {
+		ip = c.config.StaticIP.String()
+	}
+	mac := ""
+	if c.config.StaticMAC != nil {
+		mac = c.config.StaticMAC.String()
+	}
+	aliases, err := c.runtime.state.GetAllNetworkAliases(c)
+	if err != nil {
+		return nil, nil, err
+	}
+	capArgs := ""
+	// add network aliases json encoded as capabilityArgs for cni
+	if len(aliases) > 0 {
+		capabilityArgs := make(map[string]interface{})
+		capabilityArgs["aliases"] = aliases
+		b, err := json.Marshal(capabilityArgs)
+		if err != nil {
+			return nil, nil, err
+		}
+		capArgs = string(b)
+	}
+
 	cniResults := make([]*cnitypes.Result, len(networks))
 	for i, nw := range networks {
-		cniRes, err := rootlessCNIInfraCallAlloc(infra, c.ID(), nw, k8sPodName)
+		cniRes, err := rootlessCNIInfraCallAlloc(infra, c.ID(), nw, k8sPodName, ip, mac, capArgs)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -137,11 +161,11 @@ func getCNIPodName(c *Container) string {
 	return c.Name()
 }
 
-func rootlessCNIInfraCallAlloc(infra *Container, id, nw, k8sPodName string) (*cnitypes.Result, error) {
-	logrus.Debugf("rootless CNI: alloc %q, %q, %q", id, nw, k8sPodName)
+func rootlessCNIInfraCallAlloc(infra *Container, id, nw, k8sPodName, ip, mac, capArgs string) (*cnitypes.Result, error) {
+	logrus.Debugf("rootless CNI: alloc %q, %q, %q, %q, %q, %q", id, nw, k8sPodName, ip, mac, capArgs)
 	var err error
 
-	_, err = rootlessCNIInfraExec(infra, "alloc", id, nw, k8sPodName)
+	_, err = rootlessCNIInfraExec(infra, "alloc", id, nw, k8sPodName, ip, mac, capArgs)
 	if err != nil {
 		return nil, err
 	}

pkg/specgen/container_validate.go

@@ -30,7 +30,7 @@ func exclusiveOptions(opt1, opt2 string) error {
 // input for creating a container.
 func (s *SpecGenerator) Validate() error {
 
-	if rootless.IsRootless() {
+	if rootless.IsRootless() && len(s.CNINetworks) == 0 {
 		if s.StaticIP != nil || s.StaticIPv6 != nil {
 			return ErrNoStaticIPRootless
 		}

pkg/specgen/pod_validate.go

@@ -20,7 +20,7 @@ func exclusivePodOptions(opt1, opt2 string) error {
 // Validate verifies the input is valid
 func (p *PodSpecGenerator) Validate() error {
 
-	if rootless.IsRootless() {
+	if rootless.IsRootless() && len(p.CNINetworks) == 0 {
 		if p.StaticIP != nil {
 			return ErrNoStaticIPRootless
 		}

test/e2e/create_staticip_test.go

@@ -49,7 +49,7 @@ var _ = Describe("Podman create with --ip flag", func() {
 	})
 
 	It("Podman create --ip with non-allocatable IP", func() {
-		SkipIfRootless("--ip is not supported in rootless mode")
+		SkipIfRootless("--ip not supported without network in rootless mode")
 		result := podmanTest.Podman([]string{"create", "--name", "test", "--ip", "203.0.113.124", ALPINE, "ls"})
 		result.WaitWithDefaultTimeout()
 		Expect(result.ExitCode()).To(Equal(0))
@@ -63,7 +63,7 @@ var _ = Describe("Podman create with --ip flag", func() {
 		ip := GetRandomIPAddress()
 		result := podmanTest.Podman([]string{"create", "--name", "test", "--ip", ip, ALPINE, "ip", "addr"})
 		result.WaitWithDefaultTimeout()
-		// Rootless static ip assignment should error
+		// Rootless static ip assignment without network should error
 		if rootless.IsRootless() {
 			Expect(result.ExitCode()).To(Equal(125))
 		} else {
@@ -81,7 +81,7 @@ var _ = Describe("Podman create with --ip flag", func() {
 	})
 
 	It("Podman create two containers with the same IP", func() {
-		SkipIfRootless("--ip not supported in rootless mode")
+		SkipIfRootless("--ip not supported without network in rootless mode")
 		ip := GetRandomIPAddress()
 		result := podmanTest.Podman([]string{"create", "--name", "test1", "--ip", ip, ALPINE, "sleep", "999"})
 		result.WaitWithDefaultTimeout()

test/e2e/create_staticmac_test.go

@@ -56,11 +56,7 @@ var _ = Describe("Podman run with --mac-address flag", func() {
 
 		result := podmanTest.Podman([]string{"run", "--network", net, "--mac-address", "92:d0:c6:00:29:34", ALPINE, "ip", "addr"})
 		result.WaitWithDefaultTimeout()
-		if rootless.IsRootless() {
-			Expect(result.ExitCode()).To(Equal(125))
-		} else {
-			Expect(result.ExitCode()).To(Equal(0))
-			Expect(result.OutputToString()).To(ContainSubstring("92:d0:c6:00:29:34"))
-		}
+		Expect(result.ExitCode()).To(Equal(0))
+		Expect(result.OutputToString()).To(ContainSubstring("92:d0:c6:00:29:34"))
 	})
 })

test/e2e/create_test.go

@@ -553,7 +553,7 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("create container in pod with IP should fail", func() {
-		SkipIfRootless("Setting IP not supported in rootless mode")
+		SkipIfRootless("Setting IP not supported in rootless mode without network")
 		name := "createwithstaticip"
 		pod := podmanTest.RunTopContainerInPod("", "new:"+name)
 		pod.WaitWithDefaultTimeout()
@@ -565,7 +565,7 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("create container in pod with mac should fail", func() {
-		SkipIfRootless("Setting MAC Address not supported in rootless mode")
+		SkipIfRootless("Setting MAC Address not supported in rootless mode without network")
 		name := "createwithstaticmac"
 		pod := podmanTest.RunTopContainerInPod("", "new:"+name)
 		pod.WaitWithDefaultTimeout()

test/e2e/network_test.go

@@ -408,7 +408,6 @@ var _ = Describe("Podman network", func() {
 		Expect(lines[1]).To(Equal(netName2))
 	})
 	It("podman network with multiple aliases", func() {
-		Skip("Until DNSName is updated on our CI images")
 		var worked bool
 		netName := "aliasTest" + stringid.GenerateNonCryptoID()
 		session := podmanTest.Podman([]string{"network", "create", netName})

test/e2e/pod_create_test.go

@@ -233,7 +233,7 @@ var _ = Describe("Podman pod create", func() {
 		ip := GetRandomIPAddress()
 		podCreate := podmanTest.Podman([]string{"pod", "create", "--ip", ip, "--name", name})
 		podCreate.WaitWithDefaultTimeout()
-		// Rootless should error
+		// Rootless should error without network
 		if rootless.IsRootless() {
 			Expect(podCreate.ExitCode()).To(Equal(125))
 		} else {
@@ -246,7 +246,7 @@ var _ = Describe("Podman pod create", func() {
 	})
 
 	It("podman container in pod with IP address shares IP address", func() {
-		SkipIfRootless("Rootless does not support --ip")
+		SkipIfRootless("Rootless does not support --ip without network")
 		podName := "test"
 		ctrName := "testCtr"
 		ip := GetRandomIPAddress()

test/e2e/pod_inspect_test.go

@@ -101,7 +101,7 @@ var _ = Describe("Podman pod inspect", func() {
 	})
 
 	It("podman pod inspect outputs show correct MAC", func() {
-		SkipIfRootless("--mac-address is not supported in rootless mode")
+		SkipIfRootless("--mac-address is not supported in rootless mode without network")
 		podName := "testPod"
 		macAddr := "42:43:44:00:00:01"
 		create := podmanTest.Podman([]string{"pod", "create", "--name", podName, "--mac-address", macAddr})

test/e2e/run_networking_test.go

@@ -621,7 +621,6 @@ var _ = Describe("Podman run networking", func() {
 	})
 
 	It("podman run in custom CNI network with --static-ip", func() {
-		SkipIfRootless("Rootless mode does not support --ip")
 		netName := stringid.GenerateNonCryptoID()
 		ipAddr := "10.25.30.128"
 		create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName})
@@ -633,10 +632,6 @@ var _ = Describe("Podman run networking", func() {
 		run.WaitWithDefaultTimeout()
 		Expect(run.ExitCode()).To(BeZero())
 		Expect(run.OutputToString()).To(ContainSubstring(ipAddr))
-
-		create = podmanTest.Podman([]string{"network", "rm", netName})
-		create.WaitWithDefaultTimeout()
-		Expect(create.ExitCode()).To(BeZero())
 	})
 
 	It("podman rootless fails custom CNI network with --uidmap", func() {
@@ -658,7 +653,6 @@ var _ = Describe("Podman run networking", func() {
 	})
 
 	It("podman run with new:pod and static-ip", func() {
-		SkipIfRootless("Rootless does not support --ip")
 		netName := stringid.GenerateNonCryptoID()
 		ipAddr := "10.25.40.128"
 		podname := "testpod"

test/e2e/run_staticip_test.go

@@ -19,7 +19,7 @@ var _ = Describe("Podman run with --ip flag", func() {
 	)
 
 	BeforeEach(func() {
-		SkipIfRootless("rootless does not support --ip")
+		SkipIfRootless("rootless does not support --ip without network")
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {
 			os.Exit(1)