k3s-io · brandond · Nov 21, 2022 · Nov 15, 2022 · Nov 15, 2022 · Nov 15, 2022
@@ -258,7 +258,11 @@ func Run(ctx context.Context, cfg cmds.Agent) error {
 	}
 
 	if cfg.Rootless && !cfg.RootlessAlreadyUnshared {
-		if err := rootless.Rootless(cfg.DataDir); err != nil {
+		dualNode, err := utilsnet.IsDualStackIPStrings(cfg.NodeIP)
+		if err != nil {
+			return err
+		}
+		if err := rootless.Rootless(cfg.DataDir, dualNode); err != nil {
 			return err
 		}
 	}

@@ -33,8 +33,8 @@ func Run(ctx *cli.Context) error {
 		return err
 	}
 
-	if os.Getuid() != 0 && runtime.GOOS != "windows" {
-		return fmt.Errorf("agent must be ran as root")
+	if runtime.GOOS != "windows" && os.Getuid() != 0 && !cmds.AgentConfig.Rootless {
+		return fmt.Errorf("agent must be run as root, or with --rootless")
 	}
 
 	if cmds.AgentConfig.TokenFile != "" {

@@ -71,7 +71,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	}
 
 	if !cfg.DisableAgent && os.Getuid() != 0 && !cfg.Rootless {
-		return fmt.Errorf("must run as root unless --disable-agent is specified")
+		return fmt.Errorf("server must run as root, or with --rootless and/or --disable-agent")
 	}
 
 	if cfg.Rootless {
@@ -81,7 +81,11 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		}
 		cfg.DataDir = dataDir
 		if !cfg.DisableAgent {
-			if err := rootless.Rootless(dataDir); err != nil {
+			dualNode, err := utilsnet.IsDualStackIPStrings(cmds.AgentConfig.NodeIP)
+			if err != nil {
+				return err
+			}
+			if err := rootless.Rootless(dataDir, dualNode); err != nil {
 				return err
 			}
 		}

@@ -1,4 +1,5 @@
 //go:build !windows
+// +build !windows
 
 package rootless
 

@@ -0,0 +1,99 @@
+//go:build !windows
+// +build !windows
+
+package rootless
+
+import (
+	"io"
+	"path"
+	"strings"
+
+	"github.com/rootless-containers/rootlesskit/pkg/port"
+	portbuiltin "github.com/rootless-containers/rootlesskit/pkg/port/builtin"
+	portslirp4netns "github.com/rootless-containers/rootlesskit/pkg/port/slirp4netns"
+	"github.com/sirupsen/logrus"
+)
+
+type logrusDebugWriter struct {
+}
+
+func (w *logrusDebugWriter) Write(p []byte) (int, error) {
+	s := strings.TrimSuffix(string(p), "\n")
+	logrus.Debug(s)
+	return len(p), nil
+}
+
+type portDriver interface {
+	NewParentDriver() (port.ParentDriver, error)
+	NewChildDriver() port.ChildDriver
+	LogWriter() io.Writer
+	SetStateDir(string)
+	APISocketPath() string
+}
+
+type builtinDriver struct {
+	logWriter io.Writer
+	stateDir  string
+}
+
+func (b *builtinDriver) NewParentDriver() (port.ParentDriver, error) {
+	return portbuiltin.NewParentDriver(b.logWriter, b.stateDir)
+}
+
+func (b *builtinDriver) NewChildDriver() port.ChildDriver {
+	return portbuiltin.NewChildDriver(b.logWriter)
+}
+
+func (b *builtinDriver) LogWriter() io.Writer {
+	return b.logWriter
+}
+
+func (b *builtinDriver) SetStateDir(stateDir string) {
+	b.stateDir = stateDir
+}
+
+func (b *builtinDriver) APISocketPath() string {
+	return ""
+}
+
+type slirp4netnsDriver struct {
+	logWriter io.Writer
+	stateDir  string
+}
+
+func (s *slirp4netnsDriver) NewParentDriver() (port.ParentDriver, error) {
+	return portslirp4netns.NewParentDriver(s.logWriter, s.APISocketPath())
+}
+
+func (s *slirp4netnsDriver) NewChildDriver() port.ChildDriver {
+	return portslirp4netns.NewChildDriver()
+}
+
+func (s *slirp4netnsDriver) LogWriter() io.Writer {
+	return s.logWriter
+}
+
+func (s *slirp4netnsDriver) SetStateDir(stateDir string) {
+	s.stateDir = stateDir
+}
+
+func (s *slirp4netnsDriver) APISocketPath() string {
+	if s.stateDir != "" {
+		return path.Join(s.stateDir, ".s4nn.sock")
+	}
+	return ""
+}
+
+func getDriver(driverName string) portDriver {
+	logWriter := &logrusDebugWriter{}
+
+	if driverName == "slirp4netns" {
+		return &slirp4netnsDriver{logWriter: logWriter}
+	}
+
+	if driverName != "" && driverName != "builtin" {
+		logrus.Warnf("Unsupported port driver %s, using default builtin", driverName)
+	}
+
+	return &builtinDriver{logWriter: logWriter}
+}
@@ -17,7 +17,6 @@ import (
 	"github.com/rootless-containers/rootlesskit/pkg/copyup/tmpfssymlink"
 	"github.com/rootless-containers/rootlesskit/pkg/network/slirp4netns"
 	"github.com/rootless-containers/rootlesskit/pkg/parent"
-	portbuiltin "github.com/rootless-containers/rootlesskit/pkg/port/builtin"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -27,20 +26,28 @@ var (
 	childEnv           = "_K3S_ROOTLESS_SOCK"
 	evacuateCgroup2Env = "_K3S_ROOTLESS_EVACUATE_CGROUP2" // boolean
 	Sock               = ""
+
+	mtuEnv             = "K3S_ROOTLESS_MTU"
+	cidrEnv            = "K3S_ROOTLESS_CIDR"
+	enableIPv6Env      = "K3S_ROOTLESS_ENABLE_IPV6"
+	portDriverEnv      = "K3S_ROOTLESS_PORT_DRIVER"
+	disableLoopbackEnv = "K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"
 )
 
-func Rootless(stateDir string) error {
+func Rootless(stateDir string, enableIPv6 bool) error {
 	defer func() {
 		os.Unsetenv(pipeFD)
 		os.Unsetenv(childEnv)
 	}()
 
 	hasFD := os.Getenv(pipeFD) != ""
 	hasChildEnv := os.Getenv(childEnv) != ""
+	rootlessDir := filepath.Join(stateDir, "rootless")
+	driver := getDriver(strings.ToLower(os.Getenv(portDriverEnv)))
 
 	if hasFD {
 		logrus.Debug("Running rootless child")
-		childOpt, err := createChildOpt()
+		childOpt, err := createChildOpt(driver)
 		if err != nil {
 			logrus.Fatal(err)
 		}
@@ -59,7 +66,7 @@ func Rootless(stateDir string) error {
 	if err := validateSysctl(); err != nil {
 		logrus.Fatal(err)
 	}
-	parentOpt, err := createParentOpt(filepath.Join(stateDir, "rootless"))
+	parentOpt, err := createParentOpt(driver, rootlessDir, enableIPv6)
 	if err != nil {
 		logrus.Fatal(err)
 	}
@@ -120,7 +127,7 @@ func parseCIDR(s string) (*net.IPNet, error) {
 	return ipnet, nil
 }
 
-func createParentOpt(stateDir string) (*parent.Opt, error) {
+func createParentOpt(driver portDriver, stateDir string, enableIPv6 bool) (*parent.Opt, error) {
 	if err := os.MkdirAll(stateDir, 0755); err != nil {
 		return nil, errors.Wrapf(err, "failed to mkdir %s", stateDir)
 	}
@@ -130,6 +137,8 @@ func createParentOpt(stateDir string) (*parent.Opt, error) {
 		return nil, err
 	}
 
+	driver.SetStateDir(stateDir)
+
 	opt := &parent.Opt{
 		StateDir:       stateDir,
 		CreatePIDNS:    true,
@@ -143,33 +152,61 @@ func createParentOpt(stateDir string) (*parent.Opt, error) {
 		return nil, err
 	}
 	if selfCgroup2 := selfCgroupMap[""]; selfCgroup2 == "" {
-		logrus.Warnf("enabling cgroup2 is highly recommended, see https://rootlesscontaine.rs/getting-started/common/cgroup2/")
+		logrus.Warnf("Enabling cgroup2 is highly recommended, see https://rootlesscontaine.rs/getting-started/common/cgroup2/")
 	} else {
 		selfCgroup2Dir := filepath.Join("/sys/fs/cgroup", selfCgroup2)
 		if unix.Access(selfCgroup2Dir, unix.W_OK) == nil {
 			opt.EvacuateCgroup2 = "k3s_evac"
 		} else {
-			logrus.Warn("cannot set cgroup2 evacuation, make sure to run k3s as a systemd unit")
+			logrus.Warn("Cannot set cgroup2 evacuation, make sure to run k3s as a systemd unit")
 		}
 	}
 
 	mtu := 0
-	ipnet, err := parseCIDR("10.41.0.0/16")
+	if val := os.Getenv(mtuEnv); val != "" {
+		if v, err := strconv.ParseInt(val, 10, 0); err != nil {
+			logrus.Warn("Failed to parse rootless mtu value; using default")
+		} else {
+			mtu = int(v)
+		}
+	}
+
+	disableHostLoopback := true
+	if val := os.Getenv(disableLoopbackEnv); val != "" {
+		if v, err := strconv.ParseBool(val); err != nil {
+			logrus.Warn("Failed to parse rootless disable-host-loopback value; using default")
+		} else {
+			disableHostLoopback = v
+		}
+	}
+
+	if val := os.Getenv(enableIPv6Env); val != "" {
+		if v, err := strconv.ParseBool(val); err != nil {
+			logrus.Warn("Failed to parse rootless enable-ipv6 value; using default")
+		} else {
+			enableIPv6 = v
+		}
+	}
+
+	cidr := "10.41.0.0/16"
+	if val := os.Getenv(cidrEnv); val != "" {
+		cidr = val
+	}
+
+	ipnet, err := parseCIDR(cidr)
 	if err != nil {
 		return nil, err
 	}
-	disableHostLoopback := true
 	binary := "slirp4netns"
 	if _, err := exec.LookPath(binary); err != nil {
 		return nil, err
 	}
-	debugWriter := &logrusDebugWriter{}
-	opt.NetworkDriver, err = slirp4netns.NewParentDriver(debugWriter, binary, mtu, ipnet, "tap0", disableHostLoopback, "", false, false, false)
+	opt.NetworkDriver, err = slirp4netns.NewParentDriver(driver.LogWriter(), binary, mtu, ipnet, "tap0", disableHostLoopback, driver.APISocketPath(), false, false, enableIPv6)
 	if err != nil {
 		return nil, err
 	}
 
-	opt.PortDriver, err = portbuiltin.NewParentDriver(debugWriter, stateDir)
+	opt.PortDriver, err = driver.NewParentDriver()
 	if err != nil {
 		return nil, err
 	}
@@ -179,21 +216,12 @@ func createParentOpt(stateDir string) (*parent.Opt, error) {
 	return opt, nil
 }
 
-type logrusDebugWriter struct {
-}
-
-func (w *logrusDebugWriter) Write(p []byte) (int, error) {
-	s := strings.TrimSuffix(string(p), "\n")
-	logrus.Debug(s)
-	return len(p), nil
-}
-
-func createChildOpt() (*child.Opt, error) {
+func createChildOpt(driver portDriver) (*child.Opt, error) {
 	opt := &child.Opt{}
 	opt.TargetCmd = os.Args
 	opt.PipeFDEnvKey = pipeFD
 	opt.NetworkDriver = slirp4netns.NewChildDriver()
-	opt.PortDriver = portbuiltin.NewChildDriver(&logrusDebugWriter{})
+	opt.PortDriver = driver.NewChildDriver()
 	opt.CopyUpDirs = []string{"/etc", "/var/run", "/run", "/var/lib"}
 	opt.CopyUpDriver = tmpfssymlink.NewChildDriver()
 	opt.MountProcfs = true

@@ -1,5 +1,5 @@
 package rootless
 
-func Rootless(stateDir string) error {
-	panic("Rootless not supported on windows")
+func Rootless(stateDir string, enableIPv6 bool) error {
+	panic("Rootless is not supported on windows")
 }