Driver networking support

Adds support for passing network isolation config into drivers and implements support in the rawexec driver as a proof of concept
2026-01-08 11:25:41 +03:00 · 2019-04-29 13:37:23 -04:00
parent 9fa47daf5c
commit e26192ad49
9 changed files with 237 additions and 174 deletions
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@@ -10,11 +10,13 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"syscall"
 	"time"

 	"github.com/armon/circbuf"
+	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/hashicorp/consul-template/signals"
 	hclog "github.com/hashicorp/go-hclog"
 	multierror "github.com/hashicorp/go-multierror"
@@ -183,9 +185,30 @@ func (l *LibcontainerExecutor) Launch(command *ExecCommand) (*ProcessState, erro
 	l.systemCpuStats = stats.NewCpuStats()

 	// Starts the task
-	if err := container.Run(process); err != nil {
-		container.Destroy()
-		return nil, err
+	if command.NetworkIsolation != nil && command.NetworkIsolation.Path != "" {
+		// Lock to the thread we're changing the network namespace of
+		runtime.LockOSThread()
+		netns, err := ns.GetNS(command.NetworkIsolation.Path)
+		if err != nil {
+			return nil, err
+		}
+
+		// Start the container in the network namespace
+		err = netns.Do(func(ns.NetNS) error {
+			if err := container.Run(process); err != nil {
+				container.Destroy()
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if err := container.Run(process); err != nil {
+			container.Destroy()
+			return nil, err
+		}
 	}

 	pid, err := process.Pid()