From a1ab826ff17e47dad725f7242a7df578a6f6260a Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Wed, 18 Aug 2021 12:55:51 -0400 Subject: [PATCH 1/3] Add ability to configure additional network interface names in image meta Signed-off-by: Matt Oswalt --- CHANGELOG.md | 1 + db/ingestors/images.go | 7 ++++++ db/ingestors/images_test.go | 10 +++++++- db/ingestors/ingestors.go | 3 +++ db/models/image.go | 4 ++-- .../images/utility/image.meta.yaml | 2 +- hack/mocks/images/utility/image.meta.yaml | 2 +- scheduler/backends/kubernetes/pods.go | 23 +++++++++++++++++-- 8 files changed, 45 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98d14c8b..bd10f851 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ - Refactored scheduler for Pluggable Backends [#212](https://github.com/nre-learning/antidote-core/pull/212) - Adding developer mode [#209](https://github.com/nre-learning/antidote-core/pull/209) +- Add ability to configure additional network interface names in imag meta [#214](https://github.com/nre-learning/antidote-core/pull/214) ## v0.7.0 - December 14, 2020 diff --git a/db/ingestors/images.go b/db/ingestors/images.go index 4a07abd5..bb83e1a3 100644 --- a/db/ingestors/images.go +++ b/db/ingestors/images.go @@ -83,5 +83,12 @@ func validateImage(image *models.Image) error { return errBasicValidation } + for i := range image.NetworkInterfaces { + if image.NetworkInterfaces[i] == "eth0" { + log.Error("No presentations configured, and no additionalPorts specified") + return errEth0NotAllowed + } + } + return nil } diff --git a/db/ingestors/images_test.go b/db/ingestors/images_test.go index 7ef88279..52107ec8 100644 --- a/db/ingestors/images_test.go +++ b/db/ingestors/images_test.go @@ -46,7 +46,15 @@ func TestNoNetworkInterfaces(t *testing.T) { i.NetworkInterfaces = []string{} err := validateImage(&i) - assert(t, (err == errBasicValidation), "Expected errBasicValidation") + assert(t, (err == nil), "Expected no error; the NetworkInterfaces field is optional") +} + +func TestInvalidNetworkInterface(t *testing.T) { + i := getValidImage() + i.NetworkInterfaces = []string{"eth0", "net1"} + err := validateImage(&i) + + assert(t, (err == errEth0NotAllowed), "Expected errEth0NotAllowed") } func TestNoSSHUser(t *testing.T) { diff --git a/db/ingestors/ingestors.go b/db/ingestors/ingestors.go index 29399cbf..0108f9dc 100644 --- a/db/ingestors/ingestors.go +++ b/db/ingestors/ingestors.go @@ -20,4 +20,7 @@ var ( errDuplicatePresentation = errors.New("Duplicate presentations detected") errBadConnection = errors.New("Malformed connection") errMissingLessonGuide = errors.New("Couldn't find/read lesson guide") + + // Images-Specific Errors + errEth0NotAllowed = errors.New("Not allowed to include 'eth0' in NetworkInterfaces field of images") ) diff --git a/db/models/image.go b/db/models/image.go index bfe2100f..46e3b234 100644 --- a/db/models/image.go +++ b/db/models/image.go @@ -23,8 +23,8 @@ type Image struct { // Kata will forward sysctl calls, so this is mainly targeted at untrusted images that need to forward https://github.com/kata-containers/runtime/issues/185 EnableForwarding bool `json:"EnableForwarding" yaml:"enableForwarding" jsonschema:"description=Enable IP (v4 and v6) forwarding for this image at runtime"` - // Used to allow authors to know which interfaces are available, and in which order they'll be connected - NetworkInterfaces []string `json:"NetworkInterfaces" yaml:"networkInterfaces" jsonschema:"minItems=1"` + // Used to specify names for additional network interfaces (not including "eth0") + NetworkInterfaces []string `json:"NetworkInterfaces" yaml:"networkInterfaces" jsonschema:"minItems=0"` SSHUser string `json:"SSHUser" yaml:"sshUser" jsonschema:"minLength=1,description=Username for SSH connections"` SSHPassword string `json:"SSHPassword" yaml:"sshPassword" jsonschema:"minLength=1,Password for SSH Connections"` diff --git a/db/test/test-curriculum/images/utility/image.meta.yaml b/db/test/test-curriculum/images/utility/image.meta.yaml index 2a725b56..bd155b1d 100644 --- a/db/test/test-curriculum/images/utility/image.meta.yaml +++ b/db/test/test-curriculum/images/utility/image.meta.yaml @@ -9,4 +9,4 @@ sshPassword: antidotepassword configUser: antidote configPassword: antidotepassword networkInterfaces: - - 'eth0' + - 'net1' diff --git a/hack/mocks/images/utility/image.meta.yaml b/hack/mocks/images/utility/image.meta.yaml index 236ec2b4..4842dd5c 100644 --- a/hack/mocks/images/utility/image.meta.yaml +++ b/hack/mocks/images/utility/image.meta.yaml @@ -2,7 +2,7 @@ slug: utility description: A utility image privileged: false networkInterfaces: - - 'eth0' + - 'net1' sshUser: antidote flavor: untrusted sshPassword: antidotepassword diff --git a/scheduler/backends/kubernetes/pods.go b/scheduler/backends/kubernetes/pods.go index d17dcbff..2d3e05e5 100644 --- a/scheduler/backends/kubernetes/pods.go +++ b/scheduler/backends/kubernetes/pods.go @@ -31,12 +31,31 @@ func (k *KubernetesBackend) createPod(sc ot.SpanContext, ep *models.LiveEndpoint span.SetTag("nsName", nsName) type networkAnnotation struct { - Name string `json:"name"` + Name string `json:"name"` + Interface string `json:"interface"` + } + + image, err := k.Db.GetImage(sc, ep.Image) + if err != nil { + log.Error(err) + return nil, err } netAnnotations := []networkAnnotation{} for n := range networks { - netAnnotations = append(netAnnotations, networkAnnotation{Name: networks[n]}) + + // default to the `netX` format used by multus + ifName := fmt.Sprintf("net%d", n) + + // Override if there is an available interface listed in the image definition + if len(image.NetworkInterfaces) > n { + ifName = image.NetworkInterfaces[n] + } + + netAnnotations = append(netAnnotations, networkAnnotation{ + Name: networks[n], + Interface: ifName, + }) } netAnnotationsJSON, err := json.Marshal(netAnnotations) From 3b03e850d56bc4c8ee9a4a90286bf87d55248023 Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Wed, 15 Sep 2021 15:11:31 -0400 Subject: [PATCH 2/3] Updated CHANGELOG Signed-off-by: Matt Oswalt --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd10f851..45afb2be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - Refactored scheduler for Pluggable Backends [#212](https://github.com/nre-learning/antidote-core/pull/212) - Adding developer mode [#209](https://github.com/nre-learning/antidote-core/pull/209) -- Add ability to configure additional network interface names in imag meta [#214](https://github.com/nre-learning/antidote-core/pull/214) +- Add ability to configure additional network interface names in image meta [#214](https://github.com/nre-learning/antidote-core/pull/214) ## v0.7.0 - December 14, 2020 From 3ab22c8591bc4d05be074b1efe5db1294cd3b133 Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Wed, 15 Sep 2021 15:11:46 -0400 Subject: [PATCH 3/3] Default networkInterfaces field to empty slice Signed-off-by: Matt Oswalt --- db/ingestors/images.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/db/ingestors/images.go b/db/ingestors/images.go index bb83e1a3..ae0ba730 100644 --- a/db/ingestors/images.go +++ b/db/ingestors/images.go @@ -54,6 +54,10 @@ func ReadImages(cfg config.AntidoteConfig) ([]*models.Image, error) { log.Errorf("Failed to import %s: %s", file, err) } + if image.NetworkInterfaces == nil { + image.NetworkInterfaces = []string{} + } + err = validateImage(&image) if err != nil { log.Errorf("Image '%s' failed to validate", image.Slug) @@ -85,7 +89,7 @@ func validateImage(image *models.Image) error { for i := range image.NetworkInterfaces { if image.NetworkInterfaces[i] == "eth0" { - log.Error("No presentations configured, and no additionalPorts specified") + log.Error("Not allowed to specify eth0 in networkInterfaces list") return errEth0NotAllowed } }