feat: host<->container networking

Author: holysoles

README.md

@@ -1,6 +1,6 @@
 # Currunt
 
-This project is a container runtime, written primarily as a learning exercise, by referencing only the OCI spec, Kernel documentation, blog posts, and educational resources. Source code and documentation of existing container runtimes have not been referenced. External dependencies are minimized to the greatest degree possible.
+This project is a container runtime, written primarily as a learning exercise, by referencing only the OCI spec, Kernel documentation, blog posts, and educational resources. No source code/documentation of existing container runtimes or AI has been used. External dependencies are minimized to the greatest degree possible.
 
 It is being written in two phases:
 
@@ -31,14 +31,17 @@ Goal: "feel like a container runtime"
 - [x] support namespaces
 - [x] switch from chroot to pivotroot
 - [x] track running containers in an index file
+- [x] support networking to host
 
 ## Phase 1b
 
 Goal: support more nuanced container features that make the magic happen
 
+- more networking
+  - [ ] bridge with host
+  - [ ] ingress traffic filters (expose ports)
 - [ ] support cgroups
 - [ ] support adding/dropping capabilities
-- [ ] support networking (and port mapping)
 - [ ] use a system location for image storage
 - [ ] image caching
 - [ ] layer caching
@@ -75,3 +78,4 @@ And other items from the OCI spec
 - [overlay fs docs](https://docs.kernel.org/filesystems/overlayfs.html)
 - [container in c](https://zserge.com/posts/containers/)
 - [namespaces in go](https://medium.com/@teddyking/namespaces-in-go-user-a54ef9476f2a)
+- [Scott Lowe's Weblog: Network Namespaces](https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/)

go.mod

@@ -3,6 +3,11 @@ module github.com/holysoles/currunt
 go 1.24.2
 
 require (
-	github.com/google/uuid v1.6.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	github.com/vishvananda/netlink v1.3.1
+	golang.org/x/sys v0.33.0
+)
+
+require (
+	github.com/coreos/go-iptables v0.8.0 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 )

go.sum

@@ -1,4 +1,12 @@
+github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
+github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=

main.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/google/uuid"
-
 	"github.com/holysoles/currunt/pkg/config"
 	"github.com/holysoles/currunt/pkg/container"
 	"github.com/holysoles/currunt/pkg/oci"
@@ -25,7 +23,7 @@ func (v *containerVolumes) Set(s string) error {
 
 func main() {
 	runF := flag.NewFlagSet("run", flag.ExitOnError)
-	runName := runF.String("name", uuid.New().String(), "name")
+	runName := runF.String("name", "", "name")
 	runImg := runF.String("image", "", "image")
 	runCmd := runF.String("entrypoint", "", "entrypoint")
 	runArgs := runF.String("cmd", "", "cmd")
@@ -53,6 +51,7 @@ func main() {
 	spawnGroup := container.UnixId{}
 	spawnF.Var(&spawnUser, "user", "user")
 	spawnF.Var(&spawnGroup, "group", "group")
+	spawnIP := spawnF.String("ip", "", "ip")
 
 	if len(os.Args) < 2 {
 		fmt.Print("invalid usage!")
@@ -96,7 +95,7 @@ func main() {
 			os.Exit(1)
 		}
 		spawnF.Parse(os.Args[2:])
-		err := execContainer(*spawnCmd, *spawnArgs, spawnEnv, *spawnId, spawnUser, spawnGroup, *spawnWorkDir)
+		err := execContainer(*spawnCmd, *spawnArgs, spawnEnv, *spawnId, spawnUser, spawnGroup, *spawnWorkDir, *spawnIP)
 		if err != nil {
 			fmt.Printf("ERROR: error spawning process for container: %v\n", err)
 		}

pkg/container/container.go

@@ -2,12 +2,12 @@ package container
 
 import (
 	"fmt"
+	"math/rand"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
-	"github.com/google/uuid"
 	"golang.org/x/sys/unix"
 
 	"github.com/holysoles/currunt/pkg/oci"
@@ -17,8 +17,17 @@ const (
 	ARG_DELIMITER = ";"
 	CONTAINER_LIB = "./containers"
 	DIR_MASK      = 0o700
+	randChars     = "abcdefghijklmnopqrstuvwxyz0123456789"
 )
 
+func randString(n int) string {
+	b := make([]byte, n)
+	for i := range b {
+		b[i] = randChars[rand.Int63()%int64(len(randChars))]
+	}
+	return string(b)
+}
+
 type Env []string
 
 func (e *Env) String() string {
@@ -89,8 +98,11 @@ type Container struct {
 
 func New(name string, config oci.Config) Container {
 	var c Container
+	if name == "" {
+		name = randString(8)
+	}
 	c.Name = name
-	c.Id = uuid.New().String()
+	c.Id = randString(6)
 	c.Env = config.Env
 	c.Entrypoint = cmdLine(config.Entrypoint)
 	c.Args = cmdLine(config.Cmd)

pkg/container/networking.go

@@ -0,0 +1,123 @@
+package container
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/vishvananda/netlink"
+)
+
+func getDefaultLink() (netlink.Link, error) {
+	var link netlink.Link
+	routes, err := netlink.RouteList(nil, netlink.FAMILY_ALL)
+	if err != nil {
+		return link, err
+	}
+	dNet, _ := netlink.ParseAddr("0.0.0.0/0")
+	for _, r := range routes {
+		if r.Dst.Network() == dNet.IPNet.Network() {
+			return netlink.LinkByIndex(r.LinkIndex)
+		}
+	}
+	err = errors.New("did not find a default route")
+	return link, err
+}
+
+func setForwarding(containerLink string, defaultLink string) error {
+	table, err := iptables.New()
+	if err != nil {
+		return err
+	}
+	// masq
+	err = table.Append("nat", "POSTROUTING", "-o", defaultLink, "-j", "MASQUERADE")
+	if err != nil {
+		return err
+	}
+
+	// forward
+	err = table.Append("filter", "FORWARD", "-i", containerLink, "-o", defaultLink, "-j", "ACCEPT")
+	if err != nil {
+		return err
+	}
+	err = table.Append("filter", "FORWARD", "-i", containerLink, "-o", defaultLink, "-m", "state", "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT")
+	return err
+}
+
+func newBridge(id string, link netlink.Link) error {
+	bAttrs := netlink.NewLinkAttrs()
+	bAttrs.Name = "br-" + id
+	br := &netlink.Bridge{LinkAttrs: bAttrs}
+	err := netlink.LinkAdd(br)
+	if err != nil {
+		return err
+	}
+	err = netlink.LinkSetUp(br)
+	if err != nil {
+		return err
+	}
+	err = netlink.LinkSetMaster(link, br)
+	return err
+}
+
+// func GetIP returns an available IP address for the container
+func (c *Container) GetIP() string {
+	return "10.200.1.2/24"
+}
+
+func (c *Container) AttachNet(pid int) error {
+	pName := "veth-" + c.Id
+	lName := pName + "2"
+	attr := netlink.LinkAttrs{Name: lName}
+	link := netlink.NewVeth(attr)
+	link.PeerName = pName
+	err := netlink.LinkAdd(link)
+	if err != nil {
+		return err
+	}
+	peer, err := netlink.LinkByName(pName)
+	if err != nil {
+		return err
+	}
+	// TODO IP address lease management
+	lAddr, err := netlink.ParseAddr("10.200.1.1/24")
+	if err != nil {
+		return err
+	}
+	err = netlink.AddrAdd(link, lAddr)
+	if err != nil {
+		return err
+	}
+	err = netlink.LinkSetUp(link)
+	if err != nil {
+		return err
+	}
+	err = netlink.LinkSetNsPid(peer, pid)
+	if err != nil {
+		return err
+	}
+	fmt.Println("DEBUG: setup veth and pushed peer into container netns")
+	// peer gets configured within the namespace (addr, set up)
+
+	// bridge for other containers to share the network. unlikely to use for awhile
+	//newBridge(c.Id, link)
+	// TODO teardown actions
+
+	dLink, err := getDefaultLink()
+	if err != nil {
+		err = fmt.Errorf("failed to discover default network interface: %v", err)
+		return err
+	}
+	dLinkName := dLink.Attrs().Name
+	// TODO we should add routing to common bridge like docker does
+	// then we can just setup iptables rules once
+
+	// setup routing for the veth to the default interface
+	err = setForwarding(lName, dLinkName)
+	if err != nil {
+		err = fmt.Errorf("failed to configure forwarding from host to container network: %v", err)
+		return err
+	}
+
+	return err
+}

run.go

@@ -4,15 +4,23 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"time"
+
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
 
 	"github.com/holysoles/currunt/pkg/config"
 	"github.com/holysoles/currunt/pkg/container"
 	"github.com/holysoles/currunt/pkg/oci"
-	"golang.org/x/sys/unix"
+)
+
+const (
+	CREATE_TIMEOUT_SECONDS = 30
 )
 
 // func pivotRoot is a wrapper around the syscall for pivot_root. The implementation is based upon usage in the pivot_root manpage: https://man7.org/linux/man-pages/man2/pivot_root.2.html
@@ -154,6 +162,8 @@ func initContainer(cfg config.CurruntConfig, name string, entrypoint string, cmd
 		c.User.String(),
 		"--group",
 		c.Group.String(),
+		"--ip",
+		c.GetIP(),
 	}
 	spawnArgs = append(spawnArgs, spawnEnv...)
 
@@ -191,8 +201,20 @@ func initContainer(cfg config.CurruntConfig, name string, entrypoint string, cmd
 
 	fmt.Println("DEBUG: starting namespace isolated runtime process")
 	err = p.Start()
+	defer p.Process.Kill()
+
 	c.Status = "Running"
-	saveContainer(c)
+	err = saveContainer(c)
+	if err != nil {
+		err = fmt.Errorf("unable to save container state: %v", err)
+		return c, err
+	}
+
+	err = c.AttachNet(p.Process.Pid)
+	if err != nil {
+		err = fmt.Errorf("unable to configure network: %v", err)
+		return c, err
+	}
 
 	if detach {
 		p.Process.Release()
@@ -209,7 +231,7 @@ func initContainer(cfg config.CurruntConfig, name string, entrypoint string, cmd
 }
 
 // func execContainer finalizes preparing the container in the container ns, and executes the entrypoint. Should be called through initContainer
-func execContainer(cmd string, args string, env container.Env, id string, uid container.UnixId, gid container.UnixId, wDir string) error {
+func execContainer(cmd string, args string, env container.Env, id string, uid container.UnixId, gid container.UnixId, wDir string, ip string) error {
 	var cEnv []string
 	cEnv = append(cEnv, env...)
 
@@ -218,9 +240,53 @@ func execContainer(cmd string, args string, env container.Env, id string, uid co
 	if err != nil {
 		return err
 	}
-	pivotRoot(dir)
+	err = pivotRoot(dir)
+	if err != nil {
+		return err
+	}
+
+	err = unix.Sethostname([]byte(id))
+	if err != nil {
+		return err
+	}
+
+	// block until we get the network device assigned into the namespace
+	fmt.Println("DEBUG: waiting for network device to be created..")
+	var link netlink.Link
+
+	var timeoutSec int
+	for timeoutSec < CREATE_TIMEOUT_SECONDS {
+		link, err = netlink.LinkByName("veth-" + id)
+		if err == nil {
+			break
+		}
+		timeoutSec++
+		time.Sleep(time.Second * 1)
+	}
+	fmt.Println("DEBUG: got network device, configuring now..")
+	// could update link name, but we don't
+	lAddr, err := netlink.ParseAddr(ip)
+	if err != nil {
+		return err
+	}
+	err = netlink.AddrAdd(link, lAddr)
+	if err != nil {
+		return err
+	}
+	err = netlink.LinkSetUp(link)
+	if err != nil {
+		return err
+	}
+	// default route
+	//dNet, _ := netlink.ParseIPNet("0.0.0.0/0")
+	gateway := net.IPv4(10, 200, 1, 1)
+	dRoute := &netlink.Route{Dst: nil, Gw: gateway}
+	err = netlink.RouteAdd(dRoute)
+	if err != nil {
+		return err
+	}
 
-	unix.Sethostname([]byte(id))
+	fmt.Println("DEBUG: network device configured")
 
 	var pAttr unix.SysProcAttr
 	// TODO i dont think we need this

state.go

@@ -58,7 +58,6 @@ func saveContainer(c container.Container) error {
 	os.MkdirAll(container.CONTAINER_LIB, 0755)
 	sFPath := filepath.Join(container.CONTAINER_LIB, "state.json")
 	var sFile *os.File
-	fmt.Println("DEBUG: opening state file..")
 	sFile, err := os.OpenFile(sFPath, os.O_CREATE|os.O_RDWR, 0666)
 	if err != nil {
 		return err