-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds wireguard network support #472
Conversation
a97c0b8
to
412904a
Compare
810fb42
to
57f5727
Compare
64d5d96
to
205f288
Compare
2d48fe3
to
1438c2a
Compare
9afc3d8
to
3eff38b
Compare
0cd4656
to
344d34a
Compare
This PR is now ready for review. This feature is spread over 3 PRs: Review supportAs this is a huge PR and I have understood that you prefer 1 signed commit instead of many small ones I have written up some things that might be helpful/contentious. Network Driver Trait
Generic Netlink
WireGuard Network driverParsing
NLA generationNLAS for the netlink packages are generated in the driver file as the data types should be private to it. They are then passed to the generic netlink socket Setup flowCorresponds to https://www.wireguard.com/netns/ -> Ordinary Containerization Interface NameThe interface name is still passed from podman. This code could be the entrypoint AllowedIPs routingRight now a route is generated if the interface address(gateway) is part of the destination OR in the same supernet as the destination. I have added tests to verify that my logic is sound but maybe I have missed something? TestsTests for 1 succesful spawn using all supported configuration parameters is added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My two cents but open to discussion and please feel free to correct me, I think there should be VPNDriver
and VPNDriver
should only implement wiregaurd
we are creating top level config for Wiregaurd
but it should be sub-config so this can become scalable in future.
@flouthoc this would work since everything is passed via the My thoughts on this:I would prefer not to have an abstraction layer over the drivers. It will make documentation more nested (difficult) and choosing the correct driver in the code will need to be made according to the |
I don't think we really want to add more VPN drivers, more abstractions just makes everything more complicated. |
@b-m-f validate and integrations test are failing, please see the CI logs |
There are some updates to the other netlink crates, maybe we should update them all first. |
@Luap99 Bingo. That seems to be it. Upgrading them all and reordering a few imports in The |
eb4443f
to
22fbbd3
Compare
Yeah just did it myself: #592 |
22fbbd3
to
8b2cbd2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
src/network/netlink_link.rs is an empty file, please remove it.
I did not look at the tests yet but code looks good so far but I want to take another look.
}; | ||
pub struct LinkSocket { | ||
socket: netlink_sys::Socket, | ||
sequence_number: u32, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one of the reasons I included the buffer in the struct was that rust AFAIK initializes the buffer ([0; 8192]
) with zeros every time you call it. So I wanted to it only once, of course I have not measured performance just something that I should take a look. I am ok with the change if it is not noticeable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point.
Just let me know what you prefer and I can try to move let mut buffer = [0; 8192];
back into the struct.
Looking at it right now I don't recall if there was a motive behind this change other than the comfort of having a dedicated buffer each time.
But if there was it'll come up during a rework for sure :)
Cargo.toml
Outdated
netlink-packet-core = "0.4.2" | ||
netlink-packet-route = "0.15" | ||
netlink-packet-core = "0.5.0" | ||
netlink-packet-wireguard = { git = "/~https://github.com/rust-netlink/netlink-packet-wireguard", version = "0.2.2" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a specific thing you need from the gihub version, is it not pushed to crates.io?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, it will require distros that use vendored sources to update the cargo.conf to include the new location. Not a big deal just annoying. We know one of the maintainers so I can ask them to publish it on crates.io, likely some oversight.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice. I will update it afterwards 👍
@Luap99 can you see what is failing during the |
Test failure is a flake #433, I will press rerun until it passes |
ee8914e
to
99e81e7
Compare
99e81e7
to
70eee07
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: b-m-f The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: b-m-f The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
62b1c5b
to
b0a26f2
Compare
Signed-off-by: b-m-f <max@ehlers.berlin>
b0a26f2
to
efac8ed
Compare
Hi @Luap99 @baude, But I had to do all the work inside of the netavark repo for now, since the newest version is not yet on crates.io. Maybe you could push it to the registry and then I could split out the WireGuard plugin into a new repository. Edit: Actually I can just point cargo to the repo for now. But its probably still nicer to point to a version :) |
thanks for the poke .. that is on me ... should be fixed up now |
Thanks @baude , I've worked the code into a plugin at /~https://github.com/b-m-f/netavark-wireguard-plugin . The integration worked nicely. Adding the plugin-API was a good call, for me its much easier to organize the codebase and swap out libraries this way. Will close the PR now |
Belongs together with
containers/common#1209 and containers/podman#16291