Add support for Linux Network Devices

Implement support for passing Linux Network Devices to the container
network namespace.

The network device is passed during the creation of the container,
before the process is started.

It implements the logic defined in the OCI runtime specification.

Change-Id: I1306a783b84ead7b03eea679941bd4db9dc1e353
Signed-off-by: Antonio Ojea <[email protected]>

Author: aojea

features.go

@@ -63,6 +63,9 @@ var featuresCommand = cli.Command{
 						Enabled: &t,
 					},
 				},
+				NetDevices: &features.NetDevices{
+					Enabled: &t,
+				},
 			},
 			PotentiallyUnsafeConfigAnnotations: []string{
 				"bundle",

libcontainer/configs/config.go

@@ -115,6 +115,9 @@ type Config struct {
 	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
 	Devices []*devices.Device `json:"devices"`
 
+	// NetDevices are key-value pairs, keyed by network device name, moved to the container's network namespace.
+	NetDevices map[string]*LinuxNetDevice `json:"netDevices"`
+
 	MountLabel string `json:"mount_label"`
 
 	// Hostname optionally sets the container's hostname if provided

libcontainer/configs/netdevices.go

@@ -0,0 +1,13 @@
+package configs
+
+// LinuxNetDevice represents a single network device to be added to the container's network namespace
+type LinuxNetDevice struct {
+	// Name of the device in the container namespace
+	Name string `json:"name,omitempty"`
+	// Address is the IP address and Prefix in the container namespace in CIDR fornat
+	Addresses []string `json:"addresses,omitempty"`
+	// HardwareAddres represents a physical hardware address.
+	HardwareAddress string `json:"hardwareAddress,omitempty"`
+	// MTU Maximum Transfer Unit of the network device in the container namespace
+	MTU uint32 `json:"mtu,omitempty"`
+}

libcontainer/configs/validate/validator.go

@@ -3,6 +3,8 @@ package validate
 import (
 	"errors"
 	"fmt"
+	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
@@ -24,6 +26,7 @@ func Validate(config *configs.Config) error {
 		cgroupsCheck,
 		rootfs,
 		network,
+		netdevices,
 		uts,
 		security,
 		namespaces,
@@ -70,6 +73,58 @@ func rootfs(config *configs.Config) error {
 	return nil
 }
 
+// https://elixir.bootlin.com/linux/v6.12/source/net/core/dev.c#L1066
+func devValidName(name string) bool {
+	if len(name) == 0 || len(name) > unix.IFNAMSIZ {
+		return false
+	}
+	if (name == ".") || (name == "..") {
+		return false
+	}
+	if strings.Contains(name, "/") || strings.Contains(name, ":") || strings.Contains(name, " ") {
+		return false
+	}
+	return true
+}
+
+func netdevices(config *configs.Config) error {
+	if len(config.NetDevices) == 0 {
+		return nil
+	}
+	if !config.Namespaces.Contains(configs.NEWNET) {
+		return errors.New("unable to move network devices without a private NET namespace")
+	}
+	path := config.Namespaces.PathOf(configs.NEWNET)
+	if path == "" {
+		return errors.New("unable to move network devices without a private NET namespace")
+	}
+	if config.RootlessEUID || config.RootlessCgroups {
+		return errors.New("network devices are not supported for rootless containers")
+	}
+
+	for name, netdev := range config.NetDevices {
+		if !devValidName(name) {
+			return fmt.Errorf("invalid network device name %q", name)
+		}
+		if netdev.Name != "" {
+			if !devValidName(netdev.Name) {
+				return fmt.Errorf("invalid network device name %q", netdev.Name)
+			}
+		}
+		for _, address := range netdev.Addresses {
+			if _, err := netip.ParsePrefix(address); err != nil {
+				return fmt.Errorf("invalid network IP address %q", address)
+			}
+		}
+		if netdev.HardwareAddress != "" {
+			if _, err := net.ParseMAC(netdev.HardwareAddress); err != nil {
+				return fmt.Errorf("invalid hardware address %q", netdev.HardwareAddress)
+			}
+		}
+	}
+	return nil
+}
+
 func network(config *configs.Config) error {
 	if !config.Namespaces.Contains(configs.NEWNET) {
 		if len(config.Networks) > 0 || len(config.Routes) > 0 {

libcontainer/configs/validate/validator_test.go

@@ -871,3 +871,174 @@ func TestValidateIOPriority(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateNetDevices(t *testing.T) {
+	testCases := []struct {
+		name   string
+		isErr  bool
+		config *configs.Config
+	}{
+		{
+			name: "network device",
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name: "network device rename",
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name:            "c0",
+						Addresses:       []string{"192.168.2.34/24", "2001:db8::2/64"},
+						HardwareAddress: "82:06:8c:49:7a:4a",
+						MTU:             1500,
+					},
+				},
+			},
+		},
+		{
+			name:  "network device host network",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device rootless",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				RootlessEUID: true,
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device rootless",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				RootlessCgroups: true,
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device bad name",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name: "eth0/",
+					},
+				},
+			},
+		},
+		{
+			name:  "network device wrong ip",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name:      "eth0",
+						Addresses: []string{"wrongip"},
+					},
+				},
+			},
+		},
+		{
+			name:  "network device wrong mac",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name:            "eth0",
+						Addresses:       []string{"192.168.1.1/24"},
+						HardwareAddress: "wrongmac!",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			config := tc.config
+			config.Rootfs = "/var"
+
+			err := Validate(config)
+			if tc.isErr && err == nil {
+				t.Error("expected error, got nil")
+			}
+
+			if !tc.isErr && err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}

libcontainer/factory_linux.go

@@ -91,6 +91,18 @@ func Create(root, id string, config *configs.Config) (*Container, error) {
 	if err := os.Mkdir(stateDir, 0o711); err != nil {
 		return nil, err
 	}
+
+	// move the specified devices to the container network namespace
+	nsPath := config.Namespaces.PathOf(configs.NEWNET)
+	if nsPath != "" {
+		for name, netDevice := range config.NetDevices {
+			err := netnsAttach(name, nsPath, *netDevice)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	c := &Container{
 		id:              id,
 		stateDir:        stateDir,