Using netns to perform socat

This commit removes the usage of nsenter and uses netns
to perform socat operation.

Signed-off-by: abhi <[email protected]>

Author: abhi

pkg/server/sandbox_portforward.go

@@ -23,12 +23,12 @@ import (
 	"os/exec"
 	"strings"
 
+	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	runtime "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
 
-	ctrdutil "github.com/containerd/cri/pkg/containerd/util"
 	sandboxstore "github.com/containerd/cri/pkg/store/sandbox"
 )
 
@@ -46,19 +46,17 @@ func (c *criService) PortForward(ctx context.Context, r *runtime.PortForwardRequ
 	return c.streamServer.GetPortForward(r)
 }
 
-// portForward requires `nsenter` and `socat` on the node, it uses `nsenter` to enter the
+// portForward requires `socat` on the node, it uses netns to enter the
 // sandbox namespace, and run `socat` inside the namespace to forward stream for a specific
 // port. The `socat` command keeps running until it exits or client disconnect.
 func (c *criService) portForward(id string, port int32, stream io.ReadWriteCloser) error {
 	s, err := c.sandboxStore.Get(id)
 	if err != nil {
 		return errors.Wrapf(err, "failed to find sandbox %q in store", id)
 	}
-	t, err := s.Container.Task(ctrdutil.NamespacedContext(), nil)
-	if err != nil {
-		return errors.Wrap(err, "failed to get sandbox container task")
+	if s.NetNS == nil {
+		return errors.Errorf("failed to find network namespace fo sandbox %q in store", id)
 	}
-	pid := t.Pid()
 
 	socat, err := exec.LookPath("socat")
 	if err != nil {
@@ -67,48 +65,44 @@ func (c *criService) portForward(id string, port int32, stream io.ReadWriteClose
 
 	// Check following links for meaning of the options:
 	// * socat: https://linux.die.net/man/1/socat
-	// * nsenter: http://man7.org/linux/man-pages/man1/nsenter.1.html
-	args := []string{"-t", fmt.Sprintf("%d", pid), "-n", socat,
-		"-", fmt.Sprintf("TCP4:localhost:%d", port)}
-
-	nsenter, err := exec.LookPath("nsenter")
-	if err != nil {
-		return errors.Wrap(err, "failed to find nsenter")
-	}
-
-	logrus.Infof("Executing port forwarding command: %s %s", nsenter, strings.Join(args, " "))
-
-	cmd := exec.Command(nsenter, args...)
-	cmd.Stdout = stream
-
-	stderr := new(bytes.Buffer)
-	cmd.Stderr = stderr
-
-	// If we use Stdin, command.Run() won't return until the goroutine that's copying
-	// from stream finishes. Unfortunately, if you have a client like telnet connected
-	// via port forwarding, as long as the user's telnet client is connected to the user's
-	// local listener that port forwarding sets up, the telnet session never exits. This
-	// means that even if socat has finished running, command.Run() won't ever return
-	// (because the client still has the connection and stream open).
-	//
-	// The work around is to use StdinPipe(), as Wait() (called by Run()) closes the pipe
-	// when the command (socat) exits.
-	in, err := cmd.StdinPipe()
-	if err != nil {
-		return errors.Wrap(err, "failed to create stdin pipe")
-	}
-	go func() {
-		if _, err := io.Copy(in, stream); err != nil {
-			logrus.WithError(err).Errorf("Failed to copy port forward input for %q port %d", id, port)
+	args := []string{"-", fmt.Sprintf("TCP4:localhost:%d", port)}
+	logrus.Infof("Executing port forwarding command: %s %s", socat, strings.Join(args, " "))
+	err = s.NetNS.GetNs().Do(func(_ ns.NetNS) error {
+		cmd := exec.Command(socat, args...)
+		cmd.Stdout = stream
+
+		stderr := new(bytes.Buffer)
+		cmd.Stderr = stderr
+
+		// If we use Stdin, command.Run() won't return until the goroutine that's copying
+		// from stream finishes. Unfortunately, if you have a client like telnet connected
+		// via port forwarding, as long as the user's telnet client is connected to the user's
+		// local listener that port forwarding sets up, the telnet session never exits. This
+		// means that even if socat has finished running, command.Run() won't ever return
+		// (because the client still has the connection and stream open).
+		//
+		// The work around is to use StdinPipe(), as Wait() (called by Run()) closes the pipe
+		// when the command (socat) exits.
+		in, err := cmd.StdinPipe()
+		if err != nil {
+			return errors.Wrap(err, "failed to create stdin pipe")
 		}
-		in.Close()
-		logrus.Debugf("Finish copy port forward input for %q port %d: %v", id, port)
-	}()
-
-	if err := cmd.Run(); err != nil {
-		return errors.Errorf("nsenter command returns error: %v, stderr: %q", err, stderr.String())
+		go func() {
+			if _, err := io.Copy(in, stream); err != nil {
+				logrus.WithError(err).Errorf("Failed to copy port forward input for %q port %d", id, port)
+			}
+			in.Close()
+			logrus.Debugf("Finish copy port forward input for %q port %d: %v", id, port)
+		}()
+
+		if err := cmd.Run(); err != nil {
+			return errors.Wrapf(err, "socat command returns error, stderr: %q", stderr.String())
+		}
+		return nil
+	})
+	if err != nil {
+		return errors.Wrapf(err, "failed to execute portforward in network namespace %s", s.NetNS.GetPath())
 	}
-
 	logrus.Infof("Finish port forwarding for %q port %d", id, port)
 
 	return nil

pkg/store/sandbox/netns.go

@@ -124,3 +124,10 @@ func (n *NetNS) GetPath() string {
 	defer n.Unlock()
 	return n.ns.Path()
 }
+
+// GetNs returns the network namespace handle
+func (n *NetNS) GetNs() cnins.NetNS {
+	n.Lock()
+	defer n.Unlock()
+	return n.ns
+}