Driver networking support

Adds support for passing network isolation config into drivers and
implements support in the rawexec driver as a proof of concept

drivers/shared/executor/executor.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/armon/circbuf"
+	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/hashicorp/consul-template/signals"
 	hclog "github.com/hashicorp/go-hclog"
 	multierror "github.com/hashicorp/go-multierror"
@@ -126,6 +127,8 @@ type ExecCommand struct {
 
 	// Devices are the the device nodes to be created in isolation environment
 	Devices []*drivers.DeviceConfig
+
+	NetworkIsolation *drivers.NetworkIsolationSpec
 }
 
 // SetWriters sets the writer for the process stdout and stderr. This should
@@ -308,8 +311,30 @@ func (e *UniversalExecutor) Launch(command *ExecCommand) (*ProcessState, error)
 
 	// Start the process
 	e.logger.Debug("launching", "command", command.Cmd, "args", strings.Join(command.Args, " "))
-	if err := e.childCmd.Start(); err != nil {
-		return nil, fmt.Errorf("failed to start command path=%q --- args=%q: %v", path, e.childCmd.Args, err)
+	if command.NetworkIsolation != nil && command.NetworkIsolation.Path != "" {
+		// Lock to the thread we're changing the network namespace of
+		runtime.LockOSThread()
+		netns, err := ns.GetNS(command.NetworkIsolation.Path)
+		if err != nil {
+			return nil, err
+		}
+
+		// Start the container in the network namespace
+		err = netns.Do(func(ns.NetNS) error {
+
+			if err := e.childCmd.Start(); err != nil {
+				return fmt.Errorf("failed to start command path=%q --- args=%q: %v", path, e.childCmd.Args, err)
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if err := e.childCmd.Start(); err != nil {
+			return nil, fmt.Errorf("failed to start command path=%q --- args=%q: %v", path, e.childCmd.Args, err)
+		}
+
 	}
 
 	go e.pidCollector.collectPids(e.processExited, e.getAllPids)