From c872343d457f2168e771b4242f71c5f8fa8891bf Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Tue, 25 Aug 2020 15:59:05 -0700 Subject: [PATCH 1/4] Add support for networking. --- containerd/containerd.go | 6 +++++- containerd/driver.go | 19 ++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/containerd/containerd.go b/containerd/containerd.go index 1a54b6b..66ee143 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -41,7 +41,7 @@ func (d *Driver) pullImage(imageName string) (containerd.Image, error) { return d.client.Pull(d.ctxContainerd, imageName, containerd.WithPullUnpack) } -func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime string, env []string, config *TaskConfig) (containerd.Container, error) { +func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime, networkNamespacePath string, env []string, config *TaskConfig) (containerd.Container, error) { if config.Command == "" && len(config.Args) > 0 { return nil, fmt.Errorf("Command is empty. Cannot set --args without --command.") } @@ -123,6 +123,10 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe opts = append(opts, oci.WithMounts(mounts)) } + if networkNamespacePath != "" { + opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: networkNamespacePath})) + } + return d.client.NewContainer( d.ctxContainerd, containerName, diff --git a/containerd/driver.go b/containerd/driver.go index f14a95a..8c95dda 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -110,9 +110,10 @@ var ( // this should be set according to the target run time. // https://godoc.org/github.com/hashicorp/nomad/plugins/drivers#Capabilities capabilities = &drivers.Capabilities{ - SendSignals: true, - Exec: true, - FSIsolation: drivers.FSIsolationNone, + SendSignals: true, + Exec: true, + FSIsolation: drivers.FSIsolationNone, + NetIsolationModes: []drivers.NetIsolationMode{drivers.NetIsolationModeGroup, drivers.NetIsolationModeTask}, } ) @@ -333,6 +334,10 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive return nil, nil, fmt.Errorf("failed to decode driver config: %v", err) } + if driverConfig.HostNetwork && cfg.NetworkIsolation != nil { + return nil, nil, fmt.Errorf("host_network and bridge network mode are mutually exclusive, and only one of them should be set") + } + d.logger.Info("starting task", "driver_cfg", hclog.Fmt("%+v", driverConfig)) handle := drivers.NewTaskHandle(taskHandleVersion) handle.Config = cfg @@ -355,13 +360,17 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive } containerSnapshotName := fmt.Sprintf("%s-snapshot", containerName) - container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, env, &driverConfig) + var networkNamespacePath string + if cfg.NetworkIsolation != nil && cfg.NetworkIsolation.Path != "" { + networkNamespacePath = cfg.NetworkIsolation.Path + } + + container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, networkNamespacePath, env, &driverConfig) if err != nil { return nil, nil, fmt.Errorf("Error in creating container: %v", err) } d.logger.Info(fmt.Sprintf("Successfully created container with name: %s", containerName)) - task, err := d.createTask(container, cfg.StdoutPath, cfg.StderrPath) if err != nil { return nil, nil, fmt.Errorf("Error in creating task: %v", err) From d02f35f2d53170eeba4c9021d59038338831e1dc Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 26 Aug 2020 14:55:14 -0700 Subject: [PATCH 2/4] Updates. --- containerd/containerd.go | 6 +++--- containerd/driver.go | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/containerd/containerd.go b/containerd/containerd.go index 66ee143..d76ee52 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -41,7 +41,7 @@ func (d *Driver) pullImage(imageName string) (containerd.Image, error) { return d.client.Pull(d.ctxContainerd, imageName, containerd.WithPullUnpack) } -func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime, networkNamespacePath string, env []string, config *TaskConfig) (containerd.Container, error) { +func (d *Driver) createContainer(image containerd.Image, containerName, containerSnapshotName, containerdRuntime, netnsPath string, env []string, config *TaskConfig) (containerd.Container, error) { if config.Command == "" && len(config.Args) > 0 { return nil, fmt.Errorf("Command is empty. Cannot set --args without --command.") } @@ -123,8 +123,8 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe opts = append(opts, oci.WithMounts(mounts)) } - if networkNamespacePath != "" { - opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: networkNamespacePath})) + if netnsPath != "" { + opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: netnsPath})) } return d.client.NewContainer( diff --git a/containerd/driver.go b/containerd/driver.go index 8c95dda..d50294d 100644 --- a/containerd/driver.go +++ b/containerd/driver.go @@ -360,12 +360,12 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive } containerSnapshotName := fmt.Sprintf("%s-snapshot", containerName) - var networkNamespacePath string + var netnsPath string if cfg.NetworkIsolation != nil && cfg.NetworkIsolation.Path != "" { - networkNamespacePath = cfg.NetworkIsolation.Path + netnsPath = cfg.NetworkIsolation.Path } - container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, networkNamespacePath, env, &driverConfig) + container, err := d.createContainer(image, containerName, containerSnapshotName, d.config.ContainerdRuntime, netnsPath, env, &driverConfig) if err != nil { return nil, nil, fmt.Errorf("Error in creating container: %v", err) } From 6167229b310e1e2d3c5ef0c88130aa1cb25d08d2 Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 26 Aug 2020 15:27:26 -0700 Subject: [PATCH 3/4] Add comments. --- containerd/containerd.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/containerd/containerd.go b/containerd/containerd.go index d76ee52..7181010 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -123,6 +123,12 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe opts = append(opts, oci.WithMounts(mounts)) } + // nomad use CNI plugins e.g bridge to setup a network (and network namespace) for the container. + // CNI plugins need to be installed under /opt/cni/bin. + // network namespace is created at /var/run/netns/. + // netnsPath is the path to the network namespace, which containerd joins to provide network + // for the container. + // NOTE: Only bridge networking mode is supported at this point. if netnsPath != "" { opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: netnsPath})) } From 22011a268affa2ff84084448d699908b94f09069 Mon Sep 17 00:00:00 2001 From: Shishir Mahajan Date: Wed, 26 Aug 2020 15:59:56 -0700 Subject: [PATCH 4/4] Update README.md. --- README.md | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 35e2fd1..54e4ef5 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,29 @@ mounts = [ ] ``` +## Networking + +`nomad-driver-containerd` supports **host** and **bridge** networks.
+ +**NOTE:** `host` and `bridge` are mutually exclusive options, and only one of them should be used at a time. + +1. **Host** network can be enabled by setting `host_network` to `true` in task config +of the job spec [Check under [`Supported options`](https://github.com/Roblox/nomad-driver-containerd#supported-options)]. + +2. **Bridge** network can be enabled by setting the `network` stanza in the task group section of the job spec. + +``` +network { + mode = "bridge" +} +``` +You need to install CNI plugins on nomad client nodes under `/opt/cni/bin` before you can use `bridge` networks. + + **Instructions for installing CNI plugins.**
+ - $ curl -L -o cni-plugins.tgz https://github.com/containernetworking/plugins/releases/download/v0.8.1/cni-plugins-linux-amd64-v0.8.1.tgz
+ - sudo mkdir -p /opt/cni/bin
+ - sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz + ## Tests ``` $ make test @@ -140,11 +163,9 @@ Ubuntu (>= 16.04) `nomad-driver-containerd` [`v0.1`](https://github.com/Roblox/nomad-driver-containerd/releases/tag/v0.1) is **not** production ready. There are some open items which are currently being worked on. -1) **Networking**: Networking is **not in scope** of containerd as described [`here`](https://kubernetes.io/blog/2017/11/containerd-container-runtime-options-kubernetes/). However an external CNI plugin can be used to add networking to the container. We are researching on how to enable networking for our internal use-cases, and would publish (open-source) that work at some point. +1) **Port forwarding**: The ability to map a host port to a container port. This is currently not supported, but could be supported in future. -2) **Port forwarding**: The ability to map a host port to a container port. This is currently not supported, but could be supported in future. - -3) **Consul connect**: When a user launches a job in `nomad`, s/he can add a [`service stanza`](https://www.nomadproject.io/docs/job-specification/service) which will instruct `nomad` to register the service with `consul` for service discovery. This is currently not supported. +2) **Consul connect**: When a user launches a job in `nomad`, s/he can add a [`service stanza`](https://www.nomadproject.io/docs/job-specification/service) which will instruct `nomad` to register the service with `consul` for service discovery. This is currently not supported. ## License