third_party/go/patches/containerd-netns-statedir.patch

Copyright 2020 The Monogon Project Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.


From 3e7a8cebf9d40487adc7d4a22b5c628add5e7eac Mon Sep 17 00:00:00 2001
From: Lorenz Brun <lorenz@nexantic.com>
Date: Wed, 27 Jan 2021 13:05:30 +0100
Subject: [PATCH] Move netns directory into StateDir

---
 pkg/netns/netns_unix.go   | 12 +++++-------
 pkg/server/sandbox_run.go |  3 ++-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkg/netns/netns_unix.go b/pkg/netns/netns_unix.go
index 7449e235..b31716cb 100644
--- a/pkg/netns/netns_unix.go
+++ b/pkg/netns/netns_unix.go
@@ -48,14 +48,12 @@ import (
 	osinterface "github.com/containerd/cri/pkg/os"
 )
 
-const nsRunDir = "/var/run/netns"
-
 // Some of the following functions are migrated from
 // https://github.com/containernetworking/plugins/blob/master/pkg/testutils/netns_linux.go
 
 // newNS creates a new persistent (bind-mounted) network namespace and returns the
 // path to the network namespace.
-func newNS() (nsPath string, err error) {
+func newNS(baseDir string) (nsPath string, err error) {
 	b := make([]byte, 16)
 	if _, err := rand.Reader.Read(b); err != nil {
 		return "", errors.Wrap(err, "failed to generate random netns name")
@@ -64,13 +62,13 @@ func newNS() (nsPath string, err error) {
 	// Create the directory for mounting network namespaces
 	// This needs to be a shared mountpoint in case it is mounted in to
 	// other namespaces (containers)
-	if err := os.MkdirAll(nsRunDir, 0755); err != nil {
+	if err := os.MkdirAll(baseDir, 0755); err != nil {
 		return "", err
 	}
 
 	// create an empty file at the mount point
 	nsName := fmt.Sprintf("cni-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
-	nsPath = path.Join(nsRunDir, nsName)
+	nsPath = path.Join(baseDir, nsName)
 	mountPointFd, err := os.Create(nsPath)
 	if err != nil {
 		return "", err
@@ -164,8 +162,8 @@ type NetNS struct {
 }
 
 // NewNetNS creates a network namespace.
-func NewNetNS() (*NetNS, error) {
-	path, err := newNS()
+func NewNetNS(baseDir string) (*NetNS, error) {
+	path, err := newNS(baseDir)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to setup netns")
 	}
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
index dd4c51e3..32a2d6e8 100644
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -19,6 +19,7 @@ package server
 import (
 	"encoding/json"
 	"math"
+	"path/filepath"
 	goruntime "runtime"
 	"strings"
 
@@ -117,7 +118,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		// handle. NetNSPath in sandbox metadata and NetNS is non empty only for non host network
 		// namespaces. If the pod is in host network namespace then both are empty and should not
 		// be used.
-		sandbox.NetNS, err = netns.NewNetNS()
+		sandbox.NetNS, err = netns.NewNetNS(filepath.Join(c.config.StateDir, "netns"))
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to create network namespace for sandbox %q", id)
 		}
-- 
2.25.1