istio.io/istio@v0.0.0-20240520182934-d79c90f27776/cni/pkg/nodeagent/netns_linux.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package nodeagent
    16  
    17  import (
    18  	"fmt"
    19  	"runtime"
    20  	"sync"
    21  
    22  	netns "github.com/containernetworking/plugins/pkg/ns"
    23  	"golang.org/x/sys/unix"
    24  )
    25  
    26  type NetnsWrapper struct {
    27  	innerNetns netns.NetNS
    28  	inode      uint64
    29  }
    30  
    31  func (n *NetnsWrapper) Inode() uint64 {
    32  	return n.inode
    33  }
    34  
    35  func (n *NetnsWrapper) Close() error {
    36  	return n.innerNetns.Close()
    37  }
    38  
    39  func (n *NetnsWrapper) Fd() uintptr {
    40  	return n.innerNetns.Fd()
    41  }
    42  
    43  func inodeForFd(n NetnsFd) (uint64, error) {
    44  	stats := &unix.Stat_t{}
    45  	err := unix.Fstat(int(n.Fd()), stats)
    46  	return stats.Ino, err
    47  }
    48  
    49  func OpenNetns(nspath string) (NetnsCloser, error) {
    50  	n, err := netns.GetNS(nspath)
    51  	if err != nil {
    52  		return nil, err
    53  	}
    54  	i, err := inodeForFd(n)
    55  	if err != nil {
    56  		n.Close()
    57  		return nil, err
    58  	}
    59  	return &NetnsWrapper{innerNetns: n, inode: i}, nil
    60  }
    61  
    62  func NetnsSet(n NetnsFd) error {
    63  	if err := unix.Setns(int(n.Fd()), unix.CLONE_NEWNET); err != nil {
    64  		return fmt.Errorf("Error switching to ns fd %v: %v", n.Fd(), err)
    65  	}
    66  	return nil
    67  }
    68  
    69  // inspired by netns.Do() but with an existing fd.
    70  func NetnsDo(fdable NetnsFd, toRun func() error) error {
    71  	containedCall := func() error {
    72  		threadNS, err := netns.GetCurrentNS()
    73  		if err != nil {
    74  			return fmt.Errorf("failed to open current netns: %v", err)
    75  		}
    76  		defer threadNS.Close()
    77  
    78  		// switch to target namespace
    79  		if err = NetnsSet(fdable); err != nil {
    80  			return err
    81  		}
    82  		defer func() {
    83  			err := threadNS.Set() // switch back
    84  			if err == nil {
    85  				// Unlock the current thread only when we successfully switched back
    86  				// to the original namespace; otherwise leave the thread locked which
    87  				// will force the runtime to scrap the current thread, that is maybe
    88  				// not as optimal but at least always safe to do.
    89  				runtime.UnlockOSThread()
    90  			}
    91  		}()
    92  
    93  		return toRun()
    94  	}
    95  
    96  	var wg sync.WaitGroup
    97  	wg.Add(1)
    98  
    99  	// Start the callback in a new green thread so that if we later fail
   100  	// to switch the namespace back to the original one, we can safely
   101  	// leave the thread locked to die without a risk of the current thread
   102  	// left lingering with incorrect namespace.
   103  	var innerError error
   104  	go func() {
   105  		defer wg.Done()
   106  		runtime.LockOSThread()
   107  		innerError = containedCall()
   108  	}()
   109  	wg.Wait()
   110  
   111  	return innerError
   112  }