Merge pull request #1805 from JoshuaWatt/netns

Network Namespace Implementation

Author: jluebbe

.github/workflows/reusable-unit-tests.yml

@@ -43,6 +43,10 @@ jobs:
         cat ~/.ssh/id_ed25519.local.pub >> ~/.ssh/authorized_keys
         echo -e "Host localhost ip6-localhost\n  Hostname 127.0.0.1\n  IdentityFile ~/.ssh/id_ed25519.local\n  UserKnownHostsFile ~/.ssh/known_hosts.local" >> ~/.ssh/config
         ssh -o StrictHostKeyChecking=no localhost echo OK
+    - name: Enable unprivileged user namespaces
+      run: |
+        sudo sysctl kernel.unprivileged_userns_clone=1
+        unshare -Un true
     - name: Install python dependencies
       run: |
         python -m pip install --upgrade pip virtualenv

helpers/labgrid-raw-interface

@@ -11,10 +11,20 @@ import argparse
 import os
 import string
 import sys
+import subprocess
+import json
+import struct
+import fcntl
 
 import yaml
 
 
+def get_sudo_uid() -> int:
+    uid = os.environ["SUDO_UID"]
+    if uid is not None:
+        return int(uid)
+
+
 def get_denylist():
     denylist_file = "/etc/labgrid/helpers.yaml"
     try:
@@ -32,6 +42,66 @@ def get_denylist():
 
     return denylist
 
+def open_tap(name, device="/dev/net/tun"):
+    TUNSETIFF = 0x400454CA
+    IFF_NO_PI = 0x1000
+    O_RDWR = 0x2
+    IFF_TAP = 0x0002
+
+    flags = IFF_TAP | IFF_NO_PI
+    name = name.encode()
+    ifr_name = name + b"\x00" * (16 - len(name))
+    ifr = struct.pack("16sH22s", ifr_name, flags, b"\x00" * 22)
+
+    fd = os.open(device, O_RDWR)
+    fcntl.ioctl(fd, TUNSETIFF, ifr)
+    return fd
+
+
+def handle_ns_macvtap(options):
+    # Use macvtap in bridge mode. This is more consistent than using hairpin
+    # mode and relying on a switch to relay packets back into the interface.
+    output = subprocess.check_output(
+        ["ip", "-j", "-echo", "link", "add", "link", options.ifname, "type", "macvtap", "mode", "bridge"]
+    )
+    output = json.loads(output)
+    assert len(output) == 1
+    ifindex_new = output[0]["ifindex"]
+    ifname_new = output[0]["ifname"]
+    assert ifname_new.startswith("macvtap")
+    try:
+        # Set the flag that tells the kernel to allow multicast to flow through
+        # the macvtap. This is required to be done on the exporter side for the
+        # client to receive multicast groups that the exporter is not listening
+        # to. Note that the client still needs to do multicast group membership
+        # to tell intermediate routers about the groups, this just prevents the
+        # kernel from filtering them out before they are sent to the tap.
+        subprocess.check_call(["ip", "link", "set", "allmulticast", "on", "dev", ifname_new])
+
+        if options.mac_address:
+            subprocess.check_call(
+                ["ip", "link", "set", "address", options.mac_address, "dev", ifname_new])
+        subprocess.check_call(
+            ["ip", "link", "set", "dev", ifname_new, "name", "macvtap0", "up", "netns", str(options.pid), "index", str(ifindex_new)]
+        )
+    except:
+        subprocess.check_call(
+            ["ip", "link", "del", ifname_new]
+        )
+        raise
+    tap_name = f"/dev/tap{ifindex_new}"
+    uid = get_sudo_uid()
+    os.chown(
+        path=tap_name,
+        uid=uid,
+        gid=-1,
+        follow_symlinks=False,
+    )
+
+    with os.fdopen(open_tap(ifname_new, device=tap_name)) as macvtap_fd:
+        os.set_inheritable(macvtap_fd.fileno(), True)
+        os.execlp("labgrid-tap-fwd", "labgrid-tap-fwd", str(macvtap_fd.fileno()))
+
 
 def main(program, options):
     if not options.ifname:
@@ -46,7 +116,7 @@ def main(program, options):
     if options.ifname in denylist:
         raise ValueError(f"Interface name '{options.ifname}' is denied in denylist.")
 
-    programs = ["tcpreplay", "tcpdump", "ip", "ethtool"]
+    programs = ["tcpreplay", "tcpdump", "ip", "ethtool", "ns-macvtap"]
     if program not in programs:
         raise ValueError(f"Invalid program {program} called with wrapper, valid programs are: {programs}")
 
@@ -112,6 +182,10 @@ def main(program, options):
             args.append(options.ifname)
             args.extend(options.ethtool_pause_args)
 
+    elif program == "ns-macvtap":
+        handle_ns_macvtap(options)
+        return
+
     try:
         os.execvp(args[0], args)
     except FileNotFoundError as e:
@@ -165,6 +239,12 @@ if __name__ == "__main__":
         "ethtool_pause_args", metavar="ARG", nargs=argparse.REMAINDER, help="ethtool --pause args"
     )
 
+    # ns-macvtap
+    ns_mactap_parser = subparsers.add_parser("ns-macvtap")
+    ns_mactap_parser.add_argument("ifname", type=str, help="interface name")
+    ns_mactap_parser.add_argument("pid", type=int, help="pid of namespace agent")
+    ns_mactap_parser.add_argument("--mac-address", type=str, metavar="ADDRESS", help="Set interface MAC address to ADDRESS")
+
     args = parser.parse_args()
     try:
         main(args.program, args)

labgrid/driver/rawnetworkinterfacedriver.py

@@ -3,15 +3,19 @@
 import json
 import subprocess
 import time
+import os
 
 import attr
 
 from .common import Driver
+from .exception import ExecutionError
 from ..factory import target_factory
 from ..step import step
+from ..util.agentwrapper import AgentWrapper
 from ..util.helper import processwrapper
 from ..util.managedfile import ManagedFile
 from ..util.timeout import Timeout
+from ..util.netns import NetNamespace
 from ..resource.common import NetworkResource
 
 
@@ -354,3 +358,114 @@ def get_address(self):
         Returns the MAC address of the bound network interface resource.
         """
         return self.get_statistics()["address"]
+
+    @Driver.check_active
+    @contextlib.contextmanager
+    def _netns(self, host):
+        with AgentWrapper(host) as wrapper:
+            ns = wrapper.load("netns")
+            ns.unshare()
+            yield ns
+
+    @Driver.check_active
+    @step()
+    @contextlib.contextmanager
+    def setup_netns(self, mac_address=None):
+        with contextlib.ExitStack() as ctx:
+            remote_ns = ctx.enter_context(self._netns(self.iface.host))
+            local_ns = ctx.enter_context(self._netns(None))
+
+            cmd = [
+                "-d",
+                "ns-macvtap",
+                self.iface.ifname,
+                str(remote_ns.get_pid()),
+            ]
+            if mac_address:
+                cmd.append("--mac-address")
+                cmd.append(mac_address)
+
+            # Start tap forward in remote namespace
+            remote_fwd = ctx.enter_context(
+                subprocess.Popen(
+                    self._wrap_command(cmd),
+                    stdout=subprocess.PIPE,
+                    stdin=subprocess.PIPE,
+                )
+            )
+            ctx.callback(lambda: remote_fwd.terminate())
+            self.logger.debug("Started remote tap forward '%s'", " ".join(remote_fwd.args))
+
+            r_macaddr = None
+            to = Timeout(30.0)
+            while True:
+                if to.expired:
+                    raise TimeoutError("Timeout waiting for remote macvtap to be established")
+
+                links = remote_ns.get_links()
+                for link in links:
+                    if link["ifname"] == "macvtap0":
+                        r_macaddr = link["address"]
+                        break
+
+                if r_macaddr is not None:
+                    break
+
+                if remote_fwd.poll() is not None:
+                    raise ExecutionError(
+                        f"Remote tap forward {remote_fwd.pid} died with {remote_fwd.returncode} during setup"
+                    )
+
+                time.sleep(0.1)
+
+            self.logger.debug("Remote macvtap MAC address is %s", r_macaddr)
+
+            _, fd = local_ns.create_tun(address=r_macaddr)
+            tun_fd = ctx.enter_context(os.fdopen(fd))
+
+            links = local_ns.get_links()
+            link_names = [link["ifname"] for link in links]
+            assert "tap0" in link_names
+
+            local_fwd = ctx.enter_context(
+                subprocess.Popen(
+                    local_ns.get_prefix() + ["labgrid-tap-fwd", str(tun_fd.fileno())],
+                    stdin=remote_fwd.stdout,
+                    stdout=remote_fwd.stdin,
+                    pass_fds=(tun_fd.fileno(),),
+                )
+            )
+            ctx.callback(lambda: local_fwd.terminate())
+            self.logger.debug("Started local tap forward '%s'", " ".join(local_fwd.args))
+
+            # Close local pipes for the remote forward, now that the local forward is running
+            remote_fwd.stdin.close()
+            remote_fwd.stdout.close()
+
+            ns = NetNamespace(local_ns)
+
+            # Wait for IPv6 address negotiation to finish
+            to = Timeout(30.0)
+            while True:
+                if to.expired:
+                    raise TimeoutError("Timeout waiting for IPv6 address negotiation to finish")
+
+                data = json.loads(
+                    ns.run(["ip", "-j", "addr", "show", "dev", ns.intf], check=True, stdout=subprocess.PIPE).stdout
+                )
+                for addr in data[0].get("addr_info", []):
+                    if addr.get("tentative", False):
+                        break
+                else:
+                    # No tentative addresses
+                    break
+
+                if remote_fwd.poll() is not None:
+                    raise ExecutionError(f"Remote tap forward {remote_fwd.pid} died with {remote_fwd.returncode}")
+
+                if local_fwd.poll() is not None:
+                    raise ExecutionError(f"Local tap forward {local_fwd.pid} died with {local_fwd.returncode}")
+
+                time.sleep(0.1)
+
+            yield ns

labgrid/remote/client.py

@@ -17,6 +17,7 @@
 import shutil
 import json
 import itertools
+import ipaddress
 from textwrap import indent
 from socket import gethostname
 from getpass import getuser
@@ -1410,6 +1411,38 @@ def audio(self):
         if res:
             raise InteractiveCommandError("gst-launch-1.0 error", res)
 
+    def netns(self):
+        place = self.get_acquired_place()
+        with self._get_target(place) as target:
+            name = self.args.name
+            drv = self._get_driver_or_new(target, "RawNetworkInterfaceDriver", name=name)
+            with drv.setup_netns(self.args.mac_address) as ns:
+                for a in self.args.address:
+                    ns.run(["ip", "addr", "add", str(a), "dev", ns.intf], check=True)
+
+                if self.args.nsenter:
+                    with open(self.args.nsenter, "w") as wrapper:
+                        wrapper.write(
+                            "\n".join(
+                                [
+                                    "#!/usr/bin/sh",
+                                    " ".join(ns.prefix) + ' "$@"',
+                                    "",
+                                ]
+                            )
+                        )
+                        os.fchmod(wrapper.fileno(), 0o755)
+                    print(f"Use {self.args.nsenter} to enter the namespace")
+
+                cmd = self.args.cmd
+                if not cmd:
+                    # Same behavior as nsenter with no command
+                    cmd = os.environ.get("SHELL", "/bin/sh")
+
+                p = ns.run(cmd)
+                if p.returncode != 0:
+                    raise InteractiveCommandError("netns command error", p.returncode)
+
     def _get_tmc(self):
         place = self.get_acquired_place()
         target = self._get_target(place)
@@ -2070,6 +2103,30 @@ def get_parser(auto_doc_mode=False) -> "argparse.ArgumentParser | AutoProgramArg
     subparser.add_argument("--name", "-n", help="optional resource name")
     subparser.set_defaults(func=ClientSession.audio)
 
+    subparser = subparsers.add_parser("netns", help="start a network namespace with access to NetworkInterface")
+    subparser.add_argument("--name", "-n", help="optional resource name")
+    subparser.add_argument(
+        "--address",
+        "-a",
+        type=ipaddress.ip_interface,
+        action="append",
+        default=[],
+        help="assign address to interface (CIDR notation)",
+    )
+    subparser.add_argument("--mac-address", help="assign MAC address to interface")
+    subparser.add_argument(
+        "--nsenter",
+        "-e",
+        nargs="?",
+        default=False,
+        const="labgrid-nsenter",
+        help="create nsenter wrapper script",
+    )
+    subparser.add_argument(
+        "cmd", nargs=argparse.REMAINDER, help="command to execute in the namespace. If unspecified, $SHELL is invoked"
+    )
+    subparser.set_defaults(func=ClientSession.netns)
+
     tmc_parser = subparsers.add_parser("tmc", help="control a USB TMC device")
     tmc_parser.add_argument("--name", "-n", help="optional resource name")
     tmc_parser.set_defaults(func=lambda _: tmc_parser.print_help(file=sys.stderr))