api: add sandbox hotplug network

[caoruidong]

Fixes #113
Refactor generate interface and route, add network hotplug interface

Signed-off-by: Ruidong Cao caoruidong@huawei.com

[codecov]

Codecov Report

Merging #287 into master will decrease coverage by 0.05%.
The diff coverage is 53.26%.

@@            Coverage Diff            @@
##           master    #287      +/-   ##
=========================================
- Coverage   64.76%   64.7%   -0.06%     
=========================================
  Files          83      84       +1     
  Lines        9178    9551     +373     
=========================================
+ Hits         5944    6180     +236     
- Misses       2620    2723     +103     
- Partials      614     648      +34

[egernst]

@sboeuf - can you PTAL?

[bergwolf]

Generally looks good. Can you please add cli side change so that these APIs are actually used and tested?

[devimc]

s/hotPlugNetwork/plugRoutes

[devimc]

s/hotPlugNetwork/hotPullNetwork

[caoruidong]

Thx. Fixed

[sboeuf]

@caoruidong thx!
About the nil being returned, just make sure the result gets tested before being used.

[WeiZhang555]

@bergwolf @amshinde @sboeuf

1. create an empty sandbox/VM
2. run prestart hooks
3. scan and hotplug interfaces
4. create containers

By Scanning the net namespace from the CLI , I think you mean with NetNs monitor developed by @sboeuf ? If so, I'm totoally fine with it! This is what we agreed on before.

[bergwolf]

@WeiZhang555 Yes, I agree that we should rely on the netns monitor to do the (scan/hotplug) work.

[sboeuf]

@WeiZhang555 @bergwolf
I'd prefer to keep the network monitor solution a very specific one, only in case we want to detect network changes. But this monitoring process increases the footprint of the whole system, and might not be reliable for now in case of crash/restart. What I would suggest is that we can configure from configuration.toml if we want the network monitoring process or not. Based on this, we would either start the monitoring process before the OCI hooks from the CLI, or we would simply scan the netns from the CLI.

Does that make sense ?

Just to be clear, I'm trying to not push too much complexity with our current architecture, and that's why I'm trying to make sure we don't consider the network monitoring process as mandatory.

[sboeuf]

@caoruidong I have rebased and repushed so that we can see the code coverage as it was getting confused.

@WeiZhang555 @devimc you both had requested some changes, could you please take another look and let us know if the PR is okay now?

[caoruidong]

@sboeuf Codecov is still not working well. Maybe I need to update it again.

[sboeuf]

@caoruidong give it some time, now that the pr has been rebased on master, it should be fine I think ;)

[sboeuf]

@amshinde @chavafg do you know why codecov does not work here ? is it down ?

[chavafg]

Not sure,
I found this on the codecov.io site report [1].

Missing base report.
Unable to compare commits because the base of the pull request did not upload a coverage report.

Changes found in between 83008d4...cd514b6 (pseudo...base) which prevent comparing this pull request.

Maybe a new rebase is needed?

[1] https://codecov.io/gh/kata-containers/runtime/pull/287

[amshinde]

@sboeuf No idea. Maybe as @chavafg suggests, a rebase may help.

[sboeuf]

@amshinde @chavafg I did the rebase this morning, but didn't seem to fix the issue...

[bergwolf]

@sboeuf I think we should separate the daemon part of netns monitor from the actual implementation that does the scan/hotplug job, -- e.g., by making scan/hotplug a standalone package. Then both the netns monitor process, and the CLI can use the standalone package to kick off network scan/hotplug. The only difference is that netns is a long running daemon and CLI only does it in one shot when/after executing the prestart hooks. When there are no prestart hooks, CLI does not even bother calling scan/hotplug -- which would allow us to create a working sandbox w/o any external NICs.

[sboeuf]

@bergwolf yes definitely. I am currently working on reworking the whole OCI hook. This will be the first step. And then, we'll move more code to CLI if needed. But all of this sounds good to me :)

[sboeuf]

@caoruidong please try to fix the build for this as I'd like to get it merged by tomorrow (unless @WeiZhang555 @bergwolf or @devimc has any objections).

[opendev-zuul]

Build succeeded (third-party-check pipeline).

• kata-runsh : SUCCESS in 54m 35s

[WeiZhang555]

LGTM

I'd prefer to keep the network monitor solution a very specific one, only in case we want to detect network changes. But this monitoring process increases the footprint of the whole system, and might not be reliable for now in case of crash/restart. What I would suggest is that we can configure from configuration.toml if we want the network monitoring process or not. Based on this, we would either start the monitoring process before the OCI hooks from the CLI, or we would simply scan the netns from the CLI.
Does that make sense ?

I think this could make sense :-) @sboeuf

[katacontainersbot]

PSS Measurement:
Qemu: 169758 KB
Proxy: 4247 KB
Shim: 8959 KB

Memory inside container:
Total Memory: 2043464 KB
Free Memory: 2003760 KB

[caoruidong]

@sboeuf I add some tests. Please check if this is right

[sboeuf]

@caoruidong thank you very much!
I'll review and merge if everything's good :)

[opendev-zuul]

Build succeeded (third-party-check pipeline).

• kata-runsh : SUCCESS in 56m 53s

[sboeuf]

LGTM

[sboeuf]

Merging as -0.06% coverage is clearly negligible here.

[CaesarLXL]

This feature is currently not valid because the pull request 534 is not fully implemented.