containerdexecutor: add network namespace callback

In order to support identity mapping and user namespaces, the Moby project needs to defer the creation of a container's network namespace to the runtime and hook into the container lifecycle to configure the network namespace before the user binary is started. The standard way to do so is by configuring a `createRuntime` OCI lifecycle hook, in which the OCI runtime executes a specified process in the runtime environment after the container has been created and before it is started. In the case of Moby the network namespace needs to be configured from the daemon process, which necessitates that the hook process communicate with the daemon process. This is complicated and slow. All the hook process does is inform the daemon of the container's PID and wait until the daemon has finished applying the network namespace configuration. There is an alternative to the `createRuntime` OCI hook which containerd clients can take advantage of. The `container.NewTask` method is directly analogous to the OCI create operation, and the `task.Start` method is directly analogous to the OCI start operation. Any operations performed between the `NewTask` and `Start` calls are therefore directly analogous to `createRuntime` OCI hooks, without needing to execute any external processes! Provide a mechanism for network.Namespace instances to register a callback function which can be used to configure a container's network namespace instead of, or in addition to, `createRuntime` OCI hooks. Signed-off-by: Cory Snider <[email protected]>
tonistiigi · Dec 9, 2022 · b5fdf90 · b5fdf90
1 parent 14fa4f2
commit b5fdf90
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/executor/containerdexecutor/executor.go b/executor/containerdexecutor/executor.go
@@ -45,6 +45,19 @@ type containerdExecutor struct {
 	rootless         bool
 }
 
+// OnCreateRuntimer provides an alternative to OCI hooks for applying network
+// configuration to a container. If the [network.Provider] returns a
+// [network.Namespace] which also implements this interface, the containerd
+// executor will run the callback at the appropriate point in the container
+// lifecycle.
+type OnCreateRuntimer interface {
+	// OnCreateRuntime is analogous to the createRuntime OCI hook. The
+	// function is called after the container is created, before the user
+	// process has been executed. The argument is the container PID in the
+	// runtime namespace.
+	OnCreateRuntime(pid uint32) error
+}
+
 // New creates a new executor backed by connection to containerd API
 func New(client *containerd.Client, root, cgroup string, networkProviders map[pb.NetMode]network.Provider, dnsConfig *oci.DNSConfig, apparmorProfile string, selinux bool, traceSocket string, rootless bool) executor.Executor {
 	// clean up old hosts/resolv.conf file. ignore errors
@@ -210,6 +223,12 @@ func (w *containerdExecutor) Run(ctx context.Context, id string, root executor.M
 		}
 	}()
 
+	if nn, ok := namespace.(OnCreateRuntimer); ok {
+		if err := nn.OnCreateRuntime(task.Pid()); err != nil {
+			return err
+		}
+	}
+
 	trace.SpanFromContext(ctx).AddEvent("Container created")
 	err = w.runProcess(ctx, task, process.Resize, process.Signal, func() {
 		startedOnce.Do(func() {