generate and maintain resolv.conf for sandbox

Signed-off-by: Crazykev <[email protected]>

Author: Crazykev

pkg/server/container_start.go

@@ -119,7 +119,7 @@ func (c *criContainerdService) startContainer(ctx context.Context, id string, me
 	// Use fixed rootfs path for now.
 	const rootPath = "/"
 
-	spec, err := c.generateContainerSpec(id, sandboxPid, config, sandboxConfig)
+	spec, err := c.generateContainerSpec(id, sandboxID, sandboxPid, config, sandboxConfig)
 	if err != nil {
 		return fmt.Errorf("failed to generate container %q spec: %v", id, err)
 	}
@@ -219,7 +219,7 @@ func (c *criContainerdService) startContainer(ctx context.Context, id string, me
 	return nil
 }
 
-func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint32, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig) (*runtimespec.Spec, error) {
+func (c *criContainerdService) generateContainerSpec(id, sandboxID string, sandboxPid uint32, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig) (*runtimespec.Spec, error) {
 	// Creates a spec Generator with the default spec.
 	// TODO(random-liu): [P2] Move container runtime spec generation into a helper function.
 	g := generate.New()
@@ -283,7 +283,10 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 
 	// TODO(random-liu): [P1] Bind mount sandbox /dev/shm.
 
-	// TODO(random-liu): [P0] Bind mount sandbox resolv.conf.
+	// Bind mount sandbox resolv.conf.
+	if resolvPath := getResolvPath(getSandboxRootDir(c.rootDir, sandboxID), sandboxConfig); resolvPath != "" {
+		g.AddBindMount(resolvPath, resolvConfPath, []string{"ro"})
+	}
 
 	return g.Spec(), nil
 }

pkg/server/container_start_test.go

@@ -164,22 +164,24 @@ func getStartContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandboxC
 
 func TestGeneralContainerSpec(t *testing.T) {
 	testID := "test-id"
+	testPodID := "test-pod-id"
 	testPid := uint32(1234)
 	config, sandboxConfig, specCheck := getStartContainerTestData()
 	c := newTestCRIContainerdService()
-	spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig)
+	spec, err := c.generateContainerSpec(testID, testPodID, testPid, config, sandboxConfig)
 	assert.NoError(t, err)
 	specCheck(t, testID, testPid, spec)
 }
 
 func TestContainerSpecTty(t *testing.T) {
 	testID := "test-id"
+	testPodID := "test-pod-id"
 	testPid := uint32(1234)
 	config, sandboxConfig, specCheck := getStartContainerTestData()
 	c := newTestCRIContainerdService()
 	for _, tty := range []bool{true, false} {
 		config.Tty = tty
-		spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig)
+		spec, err := c.generateContainerSpec(testID, testPodID, testPid, config, sandboxConfig)
 		assert.NoError(t, err)
 		specCheck(t, testID, testPid, spec)
 		assert.Equal(t, tty, spec.Process.Terminal)
@@ -188,12 +190,13 @@ func TestContainerSpecTty(t *testing.T) {
 
 func TestContainerSpecReadonlyRootfs(t *testing.T) {
 	testID := "test-id"
+	testPodID := "test-pod-id"
 	testPid := uint32(1234)
 	config, sandboxConfig, specCheck := getStartContainerTestData()
 	c := newTestCRIContainerdService()
 	for _, readonly := range []bool{true, false} {
 		config.Linux.SecurityContext.ReadonlyRootfs = readonly
-		spec, err := c.generateContainerSpec(testID, testPid, config, sandboxConfig)
+		spec, err := c.generateContainerSpec(testID, testPodID, testPid, config, sandboxConfig)
 		assert.NoError(t, err)
 		specCheck(t, testID, testPid, spec)
 		assert.Equal(t, readonly, spec.Root.Readonly)

pkg/server/helpers.go

@@ -19,6 +19,7 @@ package server
 import (
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"strings"
 	"syscall"
@@ -59,6 +60,11 @@ const (
 	sandboxesDir = "sandboxes"
 	// containersDir contains all container root.
 	containersDir = "containers"
+	// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
+	// "The search list is currently limited to six domains with a total of 256 characters."
+	maxDNSSearches = 6
+	// resolvConfPath is the abs path of resolv.conf on host or container.
+	resolvConfPath = "/etc/resolv.conf"
 	// stdinNamedPipe is the name of stdin named pipe.
 	stdinNamedPipe = "stdin"
 	// stdoutNamedPipe is the name of stdout named pipe.
@@ -216,3 +222,86 @@ func (c *criContainerdService) getSandbox(id string) (*metadata.SandboxMetadata,
 func criContainerStateToString(state runtime.ContainerState) string {
 	return runtime.ContainerState_name[int32(state)]
 }
+
+// getResolvPath returns resolv.conf filepath for specified sandbox.
+func getResolvPath(sandboxRoot string, config *runtime.PodSandboxConfig) string {
+	if config.GetDnsConfig() == nil {
+		return ""
+	}
+	return filepath.Join(sandboxRoot, "resolv.conf")
+}
+
+// parseDNSOptions parse and write DNS options to specified path
+// if none option is specified, will copy host's resolv.conf.
+func parseDNSOptions(servers, searches, options []string, path string) error {
+	nServers := len(servers)
+	nSearches := len(searches)
+	nOptions := len(options)
+	if nServers == 0 && nSearches == 0 && nOptions == 0 {
+		return copyFile(resolvConfPath, path)
+	}
+
+	if nSearches > maxDNSSearches {
+		return fmt.Errorf("DNSOption.Searches has more than 6 domains")
+	}
+
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if nSearches > 0 {
+		data := fmt.Sprintf("search %s\n", strings.Join(searches, " "))
+		_, err = f.Write([]byte(data))
+		if err != nil {
+			return err
+		}
+	}
+
+	if nServers > 0 {
+		data := fmt.Sprintf("nameserver %s\n", strings.Join(servers, "\nnameserver "))
+		_, err = f.Write([]byte(data))
+		if err != nil {
+			return err
+		}
+	}
+
+	if nOptions > 0 {
+		data := fmt.Sprintf("options %s\n", strings.Join(options, " "))
+		_, err = f.Write([]byte(data))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// copyFile copy src file to dest file
+func copyFile(src, dest string) error {
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.Create(dest)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, in)
+	return err
+}
+
+// removeFile will remove specified file, return success if not exist
+func removeFile(path string) error {
+	if _, err := os.Stat(path); err == nil {
+		if err := os.Remove(path); err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/server/sandbox_run.go

@@ -124,7 +124,10 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	}
 
 	// Start sandbox container.
-	spec := c.generateSandboxContainerSpec(id, config)
+	spec, err := c.generateSandboxContainerSpec(id, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate pod spec: %v", err)
+	}
 	rawSpec, err := json.Marshal(spec)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal oci spec %+v: %v", spec, err)
@@ -205,7 +208,7 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	return &runtime.RunPodSandboxResponse{PodSandboxId: id}, nil
 }
 
-func (c *criContainerdService) generateSandboxContainerSpec(id string, config *runtime.PodSandboxConfig) *runtimespec.Spec {
+func (c *criContainerdService) generateSandboxContainerSpec(id string, config *runtime.PodSandboxConfig) (*runtimespec.Spec, error) {
 	// TODO(random-liu): [P0] Get command from image config.
 	pauseCommand := []string{"sh", "-c", "while true; do sleep 1000000000; done"}
 
@@ -225,7 +228,20 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 	// Set hostname.
 	g.SetHostname(config.GetHostname())
 
-	// TODO(random-liu): [P0] Set DNS options. Maintain a resolv.conf for the sandbox.
+	// Set DNS options.
+	if dnsConfig := config.GetDnsConfig(); dnsConfig != nil {
+		// resolvPath is not "" guaranteed by 'dnsConfig != nil'
+		resolvPath := getResolvPath(getSandboxRootDir(c.rootDir, id), config)
+		err := parseDNSOptions(dnsConfig.Servers, dnsConfig.Searches, dnsConfig.Options, resolvPath)
+		if err != nil {
+			err1 := removeFile(resolvPath)
+			if err1 != nil {
+				return nil, fmt.Errorf("%v; failed to remove %s: %v", err, resolvPath, err1)
+			}
+			return nil, err
+		}
+		g.AddBindMount(resolvPath, resolvConfPath, []string{"ro"})
+	}
 
 	// TODO(random-liu): [P0] Add NamespaceGetter and PortMappingGetter to initialize network plugin.
 
@@ -276,5 +292,5 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 
 	// TODO(random-liu): [P1] Set default sandbox container resource limit.
 
-	return g.Spec()
+	return g.Spec(), nil
 }

pkg/server/sandbox_run_test.go

@@ -113,7 +113,8 @@ func TestGenerateSandboxContainerSpec(t *testing.T) {
 		if test.configChange != nil {
 			test.configChange(config)
 		}
-		spec := c.generateSandboxContainerSpec(testID, config)
+		spec, err := c.generateSandboxContainerSpec(testID, config)
+		assert.NoError(t, err)
 		specCheck(t, testID, spec)
 		if test.specCheck != nil {
 			test.specCheck(t, spec)