Merge pull request #515 from fahedouch/integrate-gvisor-tap-vsock-network-driver

Add gvisor-tap-vsock network driver support

Author: AkihiroSuda

.github/workflows/main.yaml

@@ -70,6 +70,10 @@ jobs:
       run: |
         docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta
         docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta --detach-netns
+    - name: "Integration test: Network (network driver=gvisor-tap-vsock)"
+      run: |
+        docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh gvisor-tap-vsock
+        docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh gvisor-tap-vsock --detach-netns
 # ===== Benchmark: Network (MTU=1500) =====
     - name: "Benchmark: Network (MTU=1500, network driver=slirp4netns)"
       run: |
@@ -101,6 +105,14 @@ jobs:
       run: |
           docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
           rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 1500 --detach-netns
+    - name: "Benchmark: Network (MTU=1500, network driver=gvisor-tap-vsock)"
+      run: |
+          docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
+          rootlesskit:test-integration ./benchmark-iperf3-net.sh gvisor-tap-vsock 1500
+    - name: "Benchmark: Network (MTU=1500, network driver=gvisor-tap-vsock) with detach-netns"
+      run: |
+          docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
+          rootlesskit:test-integration ./benchmark-iperf3-net.sh gvisor-tap-vsock 1500 --detach-netns
     - name: "Benchmark: Network (MTU=1500, network driver=lxc-user-nic)"
       run: |
           docker run --rm --privileged \
@@ -126,6 +138,10 @@ jobs:
       run: |
           docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
           rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 65520
+    - name: "Benchmark: Network (MTU=65520, network driver=gvisor-tap-vsock)"
+      run: |
+          docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
+          rootlesskit:test-integration ./benchmark-iperf3-net.sh gvisor-tap-vsock 65520
     - name: "Benchmark: Network (MTU=65520, network driver=lxc-user-nic)"
       run: |
           docker run --rm --privileged \
@@ -242,3 +258,10 @@ jobs:
         docker exec test docker info
         docker exec test ./integration-docker.sh
         docker rm -f test
+    - name: "Docker Integration test: net=gvisor-tap-vsock, port-driver=builtin"
+      run: |
+        docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=gvisor-tap-vsock -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker
+        sleep 2
+        docker exec test docker info
+        docker exec test ./integration-docker.sh
+        docker rm -f test

cmd/rootlesskit/main.go

@@ -19,6 +19,7 @@ import (
 	"github.com/rootless-containers/rootlesskit/v2/pkg/child"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/common"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/copyup/tmpfssymlink"
+	"github.com/rootless-containers/rootlesskit/v2/pkg/network/gvisortapvsock"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/network/lxcusernic"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/network/none"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/network/pasta"
@@ -97,7 +98,7 @@ See https://rootlesscontaine.rs/getting-started/common/ .
 		}, CategoryState),
 		Categorize(&cli.StringFlag{
 			Name:  "net",
-			Usage: "network driver [host, none, pasta(experimental), slirp4netns, vpnkit, lxc-user-nic(experimental)]",
+			Usage: "network driver [host, none, pasta(experimental), slirp4netns, vpnkit, lxc-user-nic(experimental), gvisor-tap-vsock(experimental)]",
 			Value: "host",
 		}, CategoryNetwork),
 		Categorize(&cli.StringFlag{
@@ -142,7 +143,7 @@ See https://rootlesscontaine.rs/getting-started/common/ .
 		}, CategoryNetwork),
 		Categorize(&cli.StringFlag{
 			Name:  "cidr",
-			Usage: "CIDR for pasta and slirp4netns networks (default: 10.0.2.0/24)",
+			Usage: "CIDR for pasta, slirp4netns and gvisor-tap-vsock networks (default: 10.0.2.0/24)",
 		}, CategoryNetwork),
 		Categorize(&cli.StringFlag{
 			Name:  "ifname",
@@ -536,6 +537,35 @@ func createParentOpt(clicontext *cli.Context) (parent.Opt, error) {
 		if err != nil {
 			return opt, err
 		}
+	case "gvisor-tap-vsock":
+		logrus.Warn("\"gvisor-tap-vsock\" network driver is experimental")
+		if disableHostLoopback {
+			logrus.Warn("\"--disable-host-loopback\" is not yet supported for gvisor-tap-vsock")
+		}
+
+		if clicontext.String("cidr") != "" {
+			ipnet, err = parseCIDR(clicontext.String("cidr"))
+			if err != nil {
+				return opt, err
+			}
+		} else {
+			// Default CIDR for the virtual network
+			_, ipnet, err = net.ParseCIDR("10.0.2.0/24")
+			if err != nil {
+				return opt, err
+			}
+		}
+
+		if clicontext.Bool("ipv6") {
+			// virtual network does not support IPv6 yet
+			// see https://github.com/containers/gvisor-tap-vsock/blob/v0.8.6/pkg/virtualnetwork/virtualnetwork.go#L102
+			return opt, errors.New("--ipv6 is not supported for gvisor-tap-vsock")
+		}
+
+		opt.NetworkDriver, err = gvisortapvsock.NewParentDriver(&logrusDebugWriter{label: "network/gvisor-tap-vsock"}, mtu, ipnet, ifname, disableHostLoopback, ipv6)
+		if err != nil {
+			return opt, err
+		}
 	default:
 		return opt, fmt.Errorf("unknown network mode: %s", s)
 	}
@@ -635,6 +665,8 @@ func createChildOpt(clicontext *cli.Context) (child.Opt, error) {
 		opt.NetworkDriver = vpnkit.NewChildDriver()
 	case "lxc-user-nic":
 		opt.NetworkDriver = lxcusernic.NewChildDriver()
+	case "gvisor-tap-vsock":
+		opt.NetworkDriver = gvisortapvsock.NewChildDriver()
 	default:
 		return opt, fmt.Errorf("unknown network mode: %s", s)
 	}

docs/network.md

@@ -7,6 +7,7 @@ RootlessKit provides several drivers for providing network connectivity:
 * `--net=slirp4netns`: use [slirp4netns](https://github.com/rootless-containers/slirp4netns) (recommended)
 * `--net=vpnkit`: use [VPNKit](https://github.com/moby/vpnkit)
 * `--net=lxc-user-nic`: use `lxc-user-nic` (experimental)
+* `--net=gvisor-tap-vsock`: use [gvisor-tap-vsock](https://github.com/containers/gvisor-tap-vsock) (experimental)
 
 [Benchmark: iperf3 from the child to the parent (Mar 8, 2020)](https://github.com/rootless-containers/rootlesskit/runs/492498728):
 
@@ -207,6 +208,53 @@ You might need to reset `/var/lib/misc/dnsmasq.lxcbr0.leases` and restart the `l
 
 Currently, the MAC address is always set to a random address.
 
+### `--net=gvisor-tap-vsock` (experimental)
+
+`--net=gvisor-tap-vsock` isolates the network namespace from the host and uses [gvisor-tap-vsock](https://github.com/containers/gvisor-tap-vsock) for providing usermode networking.
+
+Pros:
+* Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump`
+* Supports ICMP Echo (`ping`) when `/proc/sys/net/ipv4/ping_group_range` is configured
+
+Cons:
+* Supports only TCP, UDP, and ICMP Echo packets
+* Does not support IPv6 routing (`--ipv6`)
+
+The network is configured as follows by default:
+* IP: 10.0.2.100/24
+* Gateway: 10.0.2.1
+* DNS: 10.0.2.1
+
+The network configuration can be changed by specifying custom CIDR, e.g. `--cidr=10.0.3.0/24`.
+
+As in `--net=slirp4netns`, specifying `--copy-up=/etc` is highly recommended unless `/etc/resolv.conf` on the host is statically configured. It is also highly recommended to specify `--disable-host-loopback`. Otherwise ports listening on 127.0.0.1 in the host are accessible as 10.0.2.1 in the RootlessKit's network namespace.
+
+Example session:
+
+```console
+$ rootlesskit --net=gvisor-tap-vsock --copy-up=/etc --disable-host-loopback bash
+rootlesskit$ ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UP group default qlen 1000
+    link/ether 1a:25:a3:a5:1d:03 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.2.100/24 scope global tap0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::1825:a3ff:fea5:1d03/64 scope link 
+       valid_lft forever preferred_lft forever
+rootlesskit$ ip r
+default via 10.0.2.1 dev tap0
+10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100
+rootlesskit$ cat /etc/resolv.conf 
+nameserver 10.0.2.1
+rootlesskit$ curl https://www.google.com
+<!doctype html><html ...>...</html>
+```
+
 ## IPv6
 
 The `--ipv6` flag (since v0.14.0, EXPERIMENTAL) enables IPv6 routing for slirp4netns network driver.

go.mod

@@ -5,6 +5,7 @@ go 1.23.0
 require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/containernetworking/plugins v1.7.1
+	github.com/containers/gvisor-tap-vsock v0.8.6
 	github.com/gofrs/flock v0.12.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
@@ -19,11 +20,23 @@ require (
 )
 
 require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
+	github.com/miekg/dns v1.1.65 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
+	gvisor.dev/gvisor v0.0.0-20240916094835-a174eb65023f // indirect
 )