Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / c607bf67ae20b17e8f254a7e3817e2d1a93114be
commitc607bf67ae20b17e8f254a7e3817e2d1a93114be[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Tue Jul 22 20:25:26 2025 +0200
committerLorenz Brun <lorenz@monogon.tech>Mon Aug 11 21:44:47 2025 +0000
tree23cbb4bb40570be41cca51699c288f193b2b7029
parent4bde9313d653c7a3714d824f9904aa4081796560 [diff]
m/node: implement container networking ourselves

This change gets rid of the CNI mechanism for configuring container
networking in favour of a split approach where the network service is
extended by a gRPC workload network service which handles all of the
work as well as a library which exposes just enough of go-cni's
interface to be a drop-in replacement in containerd, which then talks
to the workload network service.

This is a rather unconventional approach do doing things as CNI itself
is a pluggable interface. The reason for doing it this way is that the
binary executing interface of CNI has a huge spec which is also horrible
to convert into decent Go types and being a binary-calling interface has
inherent lifecycle, complexity and image size disadvantages. The part of
CNI that is actually used by containerd is tiny and its arguments are
well-specified and have decent Go types. It also avoids the whole CNI
caching mechanic which adds further unnecessary complexity.

The reason for the split service model instead of implementing
everything in cniproxy is to allow for more complex logic and Monogon
control plane interfacing from the workload network service. Also this
will allow offloading the actual service to things like DPUs.

Right now there is some uglyness left to make this self-contained. Two
obvious examples are the piping through of the pod network event value
and the exclusion of the first (non-network) IP from the IP allocator.
These will eventually go away but are necessary to get this to work as a
standalone change.

Change-Id: I46c604b7dfd58da9e6ddd0a29241680d25a2a745
Reviewed-on: https://review.monogon.dev/c/monogon/+/4496
Reviewed-by: Jan Schär <jan@monogon.tech>
Tested-by: Jenkins CI
30 files changed
tree: 23cbb4bb40570be41cca51699c288f193b2b7029
  1. .github/
  2. .vscode/
  3. build/
  4. cloud/
  5. go/
  6. metropolis/
  7. osbase/
  8. third_party/
  9. tools/
  10. version/
  11. .bazelignore
  12. .bazelproject
  13. .bazelrc
  14. .bazelrc.ci
  15. .bazelversion
  16. .envrc
  17. .git-ignore-revs
  18. .gitignore
  19. .gitreview
  20. BUILD.bazel
  21. CODING_STANDARDS.md
  22. go.mod
  23. go.sum
  24. LICENSE
  25. MODULE.bazel
  26. MODULE.bazel.lock
  27. README.md
  28. SETUP.md
  29. shell.nix
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Platform.

This is pre-release software - take a look, and check back later! In the meantime, join us on Matrix (#monogon-os-community:matrix.org) or Discord.

Environment

Our build environment is self-contained and requires only minimal host dependencies:

  • A Linux machine or VM.
  • Bazelisk >= v1.15.0 (or a working Nix environment).
  • git to check out modules.
  • python3 to generate the workspace status to stamp.
  • A reasonably recent kernel, user namespaces are recommended for performance reasons.
  • Working KVM with access to /dev/kvm (if you want to run tests).

Our docs assume that Bazelisk is available as bazel on your PATH.

Refer to SETUP.md for detailed instructions.

Monogon OS

The source code lives in //metropolis (Metropolis is the codename of Monogon OS).

See the //metropolis/README.md for a developer quick start guide, or see the Monogon OS Handbook for user documentation.