diff --git a/README.md b/README.md
index 35e2fd1..54e4ef5 100644
--- a/README.md
+++ b/README.md
@@ -113,6 +113,29 @@ mounts = [
]
```
+## Networking
+
+`nomad-driver-containerd` supports **host** and **bridge** networks.
+
+**NOTE:** `host` and `bridge` are mutually exclusive options, and only one of them should be used at a time.
+
+1. **Host** network can be enabled by setting `host_network` to `true` in task config
+of the job spec [Check under [`Supported options`](https://github.com/Roblox/nomad-driver-containerd#supported-options)].
+
+2. **Bridge** network can be enabled by setting the `network` stanza in the task group section of the job spec.
+
+```
+network {
+ mode = "bridge"
+}
+```
+You need to install CNI plugins on nomad client nodes under `/opt/cni/bin` before you can use `bridge` networks.
+
+ **Instructions for installing CNI plugins.**
+ - $ curl -L -o cni-plugins.tgz https://github.com/containernetworking/plugins/releases/download/v0.8.1/cni-plugins-linux-amd64-v0.8.1.tgz
+ - sudo mkdir -p /opt/cni/bin
+ - sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
+
## Tests
```
$ make test
@@ -140,11 +163,9 @@ Ubuntu (>= 16.04)
`nomad-driver-containerd` [`v0.1`](https://github.com/Roblox/nomad-driver-containerd/releases/tag/v0.1) is **not** production ready.
There are some open items which are currently being worked on.
-1) **Networking**: Networking is **not in scope** of containerd as described [`here`](https://kubernetes.io/blog/2017/11/containerd-container-runtime-options-kubernetes/). However an external CNI plugin can be used to add networking to the container. We are researching on how to enable networking for our internal use-cases, and would publish (open-source) that work at some point.
+1) **Port forwarding**: The ability to map a host port to a container port. This is currently not supported, but could be supported in future.
-2) **Port forwarding**: The ability to map a host port to a container port. This is currently not supported, but could be supported in future.
-
-3) **Consul connect**: When a user launches a job in `nomad`, s/he can add a [`service stanza`](https://www.nomadproject.io/docs/job-specification/service) which will instruct `nomad` to register the service with `consul` for service discovery. This is currently not supported.
+2) **Consul connect**: When a user launches a job in `nomad`, s/he can add a [`service stanza`](https://www.nomadproject.io/docs/job-specification/service) which will instruct `nomad` to register the service with `consul` for service discovery. This is currently not supported.
## License
diff --git a/containerd/containerd.go b/containerd/containerd.go
index 1a54b6b..7181010 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -41,7 +41,7 @@ func (d *Driver) pullImage(imageName string) (containerd.Image, error) {
return d.client.Pull(d.ctxContainerd, imageName, containerd.WithPullUnpack)
}
-func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime string, env []string, config *TaskConfig) (containerd.Container, error) {
+func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime, netnsPath string, env []string, config *TaskConfig) (containerd.Container, error) {
if config.Command == "" && len(config.Args) > 0 {
return nil, fmt.Errorf("Command is empty. Cannot set --args without --command.")
}
@@ -123,6 +123,16 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
opts = append(opts, oci.WithMounts(mounts))
}
+ // nomad use CNI plugins e.g bridge to setup a network (and network namespace) for the container.
+ // CNI plugins need to be installed under /opt/cni/bin.
+ // network namespace is created at /var/run/netns/.
+ // netnsPath is the path to the network namespace, which containerd joins to provide network
+ // for the container.
+ // NOTE: Only bridge networking mode is supported at this point.
+ if netnsPath != "" {
+ opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: netnsPath}))
+ }
+
return d.client.NewContainer(
d.ctxContainerd,
containerName,
diff --git a/containerd/driver.go b/containerd/driver.go
index f14a95a..d50294d 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -110,9 +110,10 @@ var (
// this should be set according to the target run time.
// https://godoc.org/github.com/hashicorp/nomad/plugins/drivers#Capabilities
capabilities = &drivers.Capabilities{
- SendSignals: true,
- Exec: true,
- FSIsolation: drivers.FSIsolationNone,
+ SendSignals: true,
+ Exec: true,
+ FSIsolation: drivers.FSIsolationNone,
+ NetIsolationModes: []drivers.NetIsolationMode{drivers.NetIsolationModeGroup, drivers.NetIsolationModeTask},
}
)
@@ -333,6 +334,10 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
return nil, nil, fmt.Errorf("failed to decode driver config: %v", err)
}
+ if driverConfig.HostNetwork && cfg.NetworkIsolation != nil {
+ return nil, nil, fmt.Errorf("host_network and bridge network mode are mutually exclusive, and only one of them should be set")
+ }
+
d.logger.Info("starting task", "driver_cfg", hclog.Fmt("%+v", driverConfig))
handle := drivers.NewTaskHandle(taskHandleVersion)
handle.Config = cfg
@@ -355,13 +360,17 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
}
containerSnapshotName := fmt.Sprintf("%s-snapshot", containerName)
- container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, env, &driverConfig)
+ var netnsPath string
+ if cfg.NetworkIsolation != nil && cfg.NetworkIsolation.Path != "" {
+ netnsPath = cfg.NetworkIsolation.Path
+ }
+
+ container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, netnsPath, env, &driverConfig)
if err != nil {
return nil, nil, fmt.Errorf("Error in creating container: %v", err)
}
d.logger.Info(fmt.Sprintf("Successfully created container with name: %s", containerName))
-
task, err := d.createTask(container, cfg.StdoutPath, cfg.StderrPath)
if err != nil {
return nil, nil, fmt.Errorf("Error in creating task: %v", err)