feat: Implementation of enable_icc option (#69)

* feat: implementation of enable_icc option + code refactor

* address review comments and add support for iptables v6
* add cleanup method if create fails during post process
* Add a per-network mutex lock to make Create and Remove calls thread safe
* Also track active-reqs to prevent multiple lock creation for the same
* Add additional unit-test for HandleCreateOptions

Signed-off-by: Swagat Bora <[email protected]>

---------

Signed-off-by: Swagat Bora <[email protected]>

Author: swagatbora90

api/types/network_types.go

@@ -156,8 +156,6 @@ type NetworkCreateRequest struct {
 	IPAM IPAM `json:"IPAM"`
 
 	// EnableIPv6 specifies to enable IPv6 on the network.
-	//
-	// IPv6 networks are not currently supported.
 	EnableIPv6 bool `json:"EnableIPv6"`
 
 	// Options specifies network specific options to be used by the drivers.

go.mod

@@ -1,6 +1,8 @@
 module github.com/runfinch/finch-daemon
 
-go 1.22
+go 1.22.0
+
+toolchain go1.22.7
 
 require (
 	github.com/containerd/cgroups/v3 v3.0.3
@@ -13,6 +15,7 @@ require (
 	github.com/containerd/platforms v0.2.1
 	github.com/containerd/typeurl/v2 v2.2.0
 	github.com/containernetworking/cni v1.2.2
+	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli v26.0.0+incompatible
@@ -65,14 +68,14 @@ require (
 	github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 // indirect
 	github.com/containernetworking/plugins v1.4.1 // indirect
 	github.com/containers/ocicrypt v1.1.10 // indirect
-	github.com/coreos/go-iptables v0.7.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fahedouch/go-logrotate v0.2.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluent/fluent-logger-golang v1.9.0 // indirect
 	github.com/getlantern/mockconn v0.0.0-20200818071412-cb30d065a848 // indirect

go.sum

@@ -78,11 +78,12 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE=
+github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
@@ -105,8 +106,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fahedouch/go-logrotate v0.2.0 h1:UR9Fv8MDVfWwnkirmFHck+tRSWzqOwRjVRLMpQgSxaI=
 github.com/fahedouch/go-logrotate v0.2.0/go.mod h1:1RL/yr7LntS4zadAC6FT6yB/C1CQt3V6eHAZzymfwzE=
-github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
+github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluent/fluent-logger-golang v1.9.0 h1:zUdY44CHX2oIUc7VTNZc+4m+ORuO/mldQDA7czhWXEg=

internal/service/network/create.go

@@ -5,65 +5,42 @@ package network
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"os"
-	"path/filepath"
 	"strings"
 
-	"github.com/containerd/nerdctl/pkg/lockutil"
 	"github.com/containerd/nerdctl/pkg/netutil"
 
 	"github.com/runfinch/finch-daemon/api/types"
+	"github.com/runfinch/finch-daemon/internal/service/network/driver"
 	"github.com/runfinch/finch-daemon/pkg/errdefs"
 	"github.com/runfinch/finch-daemon/pkg/utility/maputility"
 )
 
 // Create implements the logic to turn a network create request to the back-end nerdctl create network calls.
 func (s *service) Create(ctx context.Context, request types.NetworkCreateRequest) (types.NetworkCreateResponse, error) {
-	// enable_ip_masquerade, host_binding_ipv4, and bridge name network options are not supported by nerdctl.
-	// So we must filter out any unsupported options which would prevent the network from being created and accept the defaults.
-	bridge := ""
-	filterUnsupportedOptions := func(original map[string]string) map[string]string {
-		options := map[string]string{}
-		for k, v := range original {
-			switch k {
-			case "com.docker.network.bridge.enable_ip_masquerade":
-				// must be true
-				if v != "true" {
-					s.logger.Warnf("network option com.docker.network.bridge.enable_ip_masquerade is set to %s, but it must be true", v)
-				}
-			case "com.docker.network.bridge.host_binding_ipv4":
-				// must be 0.0.0.0
-				if v != "0.0.0.0" {
-					s.logger.Warnf("network option com.docker.network.bridge.host_binding_ipv4 is set to %s, but it must be 0.0.0.0", v)
-				}
-			case "com.docker.network.bridge.enable_icc":
-				s.logger.Warnf("network option com.docker.network.bridge.enable_icc is not currently supported in nerdctl", v)
-			case "com.docker.network.bridge.name":
-				bridge = v
-			default:
-				options[k] = v
-			}
+	var bridgeDriver driver.DriverHandler
+	var err error
+
+	createOptionsFrom := func(request types.NetworkCreateRequest) (netutil.CreateOptions, error) {
+		// Default to "bridge" driver if request does not specify a driver
+		networkDriver := request.Driver
+		if networkDriver == "" {
+			networkDriver = "bridge"
 		}
-		return options
-	}
 
-	createOptionsFrom := func(r types.NetworkCreateRequest) netutil.CreateOptions {
 		options := netutil.CreateOptions{
-			Name:        r.Name,
-			Driver:      "bridge",
+			Name:        request.Name,
+			Driver:      networkDriver,
 			IPAMDriver:  "default",
-			IPAMOptions: r.IPAM.Options,
-			Options:     filterUnsupportedOptions(r.Options),
-			Labels:      maputility.Flatten(r.Labels, maputility.KeyEqualsValueFormat),
-		}
-		if r.Driver != "" {
-			options.Driver = r.Driver
+			IPAMOptions: request.IPAM.Options,
+			Labels:      maputility.Flatten(request.Labels, maputility.KeyEqualsValueFormat),
+			IPv6:        request.EnableIPv6,
 		}
-		if r.IPAM.Driver != "" {
-			options.IPAMDriver = r.IPAM.Driver
+
+		if request.IPAM.Driver != "" {
+			options.IPAMDriver = request.IPAM.Driver
 		}
+
 		if len(request.IPAM.Config) != 0 {
 			options.Subnets = []string{}
 			if subnet, ok := request.IPAM.Config[0]["Subnet"]; ok {
@@ -76,7 +53,21 @@ func (s *service) Create(ctx context.Context, request types.NetworkCreateRequest
 				options.Gateway = gateway
 			}
 		}
-		return options
+
+		// Handle driver-specific options
+		switch networkDriver {
+		case "bridge":
+			bridgeDriver, err = driver.NewBridgeDriver(s.netClient, s.logger, options.IPv6)
+			if err != nil {
+				return options, err
+			}
+			options, err = bridgeDriver.HandleCreateOptions(request, options)
+			return options, err
+		default:
+			options.Options = request.Options
+		}
+
+		return options, nil
 	}
 
 	if config, err := s.getNetwork(request.Name); err == nil {
@@ -92,8 +83,21 @@ func (s *service) Create(ctx context.Context, request types.NetworkCreateRequest
 		return response, nil
 	}
 
-	net, err := s.netClient.CreateNetwork(createOptionsFrom(request))
-	warning := ""
+	options, err := createOptionsFrom(request)
+	if err != nil {
+		return types.NetworkCreateResponse{}, err
+	}
+
+	// Ensure thread-safety for network operations using a per-network mutex.
+	// Operations on different network IDs can proceed concurrently.
+	netMu := s.ensureLock(request.Name)
+
+	netMu.Lock()
+	defer netMu.Unlock()
+	defer s.releaseLock(request.Name)
+
+	// Create network
+	net, err := s.netClient.CreateNetwork(options)
 	if err != nil && strings.Contains(err.Error(), "unsupported cni driver") {
 		return types.NetworkCreateResponse{}, errdefs.NewNotFound(errPluginNotFound)
 	} else if err != nil {
@@ -104,103 +108,33 @@ func (s *service) Create(ctx context.Context, request types.NetworkCreateRequest
 		return types.NetworkCreateResponse{}, errNetworkIDNotFound
 	}
 
-	// Since nerdctl currently does not support custom bridge names,
-	// we explicitly override bridge name in the conflist file for the network that was just created
-	if bridge != "" {
-		if err = s.setBridgeName(net, bridge); err != nil {
-			warning = fmt.Sprintf("Failed to set network bridge name %s: %s", bridge, err)
+	// Add cleanup func to remove the network if an error is encountered during post processing
+	cleanup := func(ctx context.Context, name string) {
+		if cleanupErr := s.Remove(ctx, name); cleanupErr != nil {
+			// ignore if the network does not exist
+			if !errdefs.IsNotFound(cleanupErr) {
+				s.logger.Errorf("cleanup failed in defer %s: %v", name, cleanupErr)
+			}
 		}
 	}
 
-	return types.NetworkCreateResponse{
-		ID:      *net.NerdctlID,
-		Warning: warning,
-	}, nil
-}
-
-// setBridgeName will override the bridge name in an existing CNI config file for a network.
-func (s *service) setBridgeName(net *netutil.NetworkConfig, bridge string) error {
-	return lockutil.WithDirLock(s.netClient.NetconfPath(), func() error {
-		// first, make sure that the bridge name is not used by any of the existing bridge networks
-		bridgeNet, err := s.getNetworkByBridgeName(bridge)
+	defer func() {
 		if err != nil {
-			return err
-		}
-		if bridgeNet != nil {
-			return fmt.Errorf("bridge name %s already in use by network %s", bridge, bridgeNet.Name)
+			cleanup(ctx, request.Name)
 		}
+	}()
 
-		// load the CNI config file and set bridge name
-		configFilename := s.getConfigPathForNetworkName(net.Name)
-		configFile, err := os.Open(configFilename)
+	// Handle post network create actions
+	warning := ""
+	if bridgeDriver != nil {
+		warning, err = bridgeDriver.HandlePostCreate(net)
 		if err != nil {
-			return err
-		}
-		defer configFile.Close()
-		var netJSON interface{}
-		if err = json.NewDecoder(configFile).Decode(&netJSON); err != nil {
-			return err
-		}
-		netMap, ok := netJSON.(map[string]interface{})
-		if !ok {
-			return fmt.Errorf("network config file %s is not a valid map", configFilename)
-		}
-		plugins, ok := netMap["plugins"]
-		if !ok {
-			return fmt.Errorf("could not find plugins in network config file %s", configFilename)
-		}
-		pluginsMap, ok := plugins.([]interface{})
-		if !ok {
-			return fmt.Errorf("could not parse plugins in network config file %s", configFilename)
-		}
-		for _, plugin := range pluginsMap {
-			pluginMap, ok := plugin.(map[string]interface{})
-			if !ok {
-				continue
-			}
-			if pluginMap["type"] == "bridge" {
-				pluginMap["bridge"] = bridge
-				data, err := json.MarshalIndent(netJSON, "", "  ")
-				if err != nil {
-					return err
-				}
-				return os.WriteFile(configFilename, data, 0o644)
-			}
-		}
-		return fmt.Errorf("bridge plugin not found in network config file %s", configFilename)
-	})
-}
-
-// From https://github.com/containerd/nerdctl/blob/v1.5.0/pkg/netutil/netutil.go#L186-L188
-func (s *service) getConfigPathForNetworkName(netName string) string {
-	return filepath.Join(s.netClient.NetconfPath(), "nerdctl-"+netName+".conflist")
-}
-
-type bridgePlugin struct {
-	Type   string `json:"type"`
-	Bridge string `json:"bridge"`
-}
-
-func (s *service) getNetworkByBridgeName(bridge string) (*netutil.NetworkConfig, error) {
-	networks, err := s.netClient.FilterNetworks(func(*netutil.NetworkConfig) bool {
-		return true
-	})
-	if err != nil {
-		return nil, err
-	}
-	for _, network := range networks {
-		for _, plugin := range network.Plugins {
-			if plugin.Network.Type != "bridge" {
-				continue
-			}
-			var bridgeJSON bridgePlugin
-			if err = json.Unmarshal(plugin.Bytes, &bridgeJSON); err != nil {
-				continue
-			}
-			if bridgeJSON.Bridge == bridge {
-				return network, nil
-			}
+			return types.NetworkCreateResponse{}, err
 		}
 	}
-	return nil, nil
+
+	return types.NetworkCreateResponse{
+		ID:      *net.NerdctlID,
+		Warning: warning,
+	}, nil
 }