feat: create network cleanup function for kill and stop cmd

Signed-off-by: Alessio Greggi <[email protected]>

Author: alegrey91

cmd/nerdctl/container_kill_linux_test.go

@@ -0,0 +1,62 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	iptablesutil "github.com/containerd/nerdctl/v2/pkg/testutil/iptables"
+	"github.com/coreos/go-iptables/iptables"
+	"gotest.tools/v3/assert"
+)
+
+// TestKillCleanupForwards runs a container that exposes a port and then kill it.
+// The test checks that the kill command effectively clean up
+// the iptables forwards creted from the run.
+func TestKillCleanupForwards(t *testing.T) {
+	const (
+		hostPort          = 9999
+		testContainerName = "ngx"
+	)
+	base := testutil.NewBase(t)
+	defer func() {
+		base.Cmd("rm", "-f", testContainerName).Run()
+	}()
+
+	// skip if rootless
+	if rootlessutil.IsRootless() {
+		t.Skip("pkg/testutil/iptables does not support rootless")
+	}
+
+	ipt, err := iptables.New()
+	assert.NilError(t, err)
+
+	cmd := base.Cmd("run", "-d",
+		"--restart=no",
+		"--name", testContainerName,
+		"-p", fmt.Sprintf("127.0.0.1:%d:80", hostPort),
+		testutil.NginxAlpineImage)
+	containerID := strings.TrimSpace(cmd.Run().Stdout())
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), true)
+
+	base.Cmd("kill", testContainerName).AssertOK()
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), false)
+}

cmd/nerdctl/container_stop_linux_test.go

@@ -22,8 +22,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	iptablesutil "github.com/containerd/nerdctl/v2/pkg/testutil/iptables"
 	"github.com/containerd/nerdctl/v2/pkg/testutil/nettestutil"
+	"github.com/coreos/go-iptables/iptables"
 
 	"gotest.tools/v3/assert"
 )
@@ -86,3 +89,33 @@ echo "signal quit"`).AssertOK()
 	base.Cmd("stop", testContainerName).AssertOK()
 	base.Cmd("logs", "-f", testContainerName).AssertOutContains("signal quit")
 }
+
+func TestStopCleanupForwards(t *testing.T) {
+	const (
+		hostPort          = 9999
+		testContainerName = "ngx"
+	)
+	base := testutil.NewBase(t)
+	defer func() {
+		base.Cmd("rm", "-f", testContainerName).Run()
+	}()
+
+	// skip if rootless
+	if rootlessutil.IsRootless() {
+		t.Skip("pkg/testutil/iptables does not support rootless")
+	}
+
+	ipt, err := iptables.New()
+	assert.NilError(t, err)
+
+	cmd := base.Cmd("run", "-d",
+		"--restart=no",
+		"--name", testContainerName,
+		"-p", fmt.Sprintf("127.0.0.1:%d:80", hostPort),
+		testutil.NginxAlpineImage)
+	containerID := strings.TrimSpace(cmd.Run().Stdout())
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), true)
+
+	base.Cmd("stop", testContainerName).AssertOK()
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), false)
+}

pkg/cmd/container/kill.go

@@ -18,6 +18,7 @@ package container
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
@@ -26,10 +27,15 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/errdefs"
+	gocni "github.com/containerd/go-cni"
 	"github.com/containerd/log"
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/containerutil"
 	"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker"
+	"github.com/containerd/nerdctl/v2/pkg/labels"
+	"github.com/containerd/nerdctl/v2/pkg/netutil"
+	"github.com/containerd/nerdctl/v2/pkg/netutil/nettype"
+	"github.com/containerd/nerdctl/v2/pkg/portutil"
 	"github.com/moby/sys/signal"
 )
 
@@ -50,6 +56,9 @@ func Kill(ctx context.Context, client *containerd.Client, reqs []string, options
 			if found.MatchCount > 1 {
 				return fmt.Errorf("multiple IDs found with provided prefix: %s", found.Req)
 			}
+			if err := cleanupNetwork(ctx, found.Container, options.GOptions); err != nil {
+				return fmt.Errorf("unable to cleanup network for container: %s, %q", found.Req, err)
+			}
 			if err := killContainer(ctx, found.Container, parsedSignal); err != nil {
 				if errdefs.IsNotFound(err) {
 					fmt.Fprintf(options.Stderr, "No such container: %s\n", found.Req)
@@ -106,3 +115,75 @@ func killContainer(ctx context.Context, container containerd.Container, signal s
 	}
 	return nil
 }
+
+// cleanupNetwork removes cni network setup, specifically the forwards
+func cleanupNetwork(ctx context.Context, container containerd.Container, globalOpts types.GlobalCommandOptions) error {
+	// retrieve info to get current active port mappings
+	info, err := container.Info(ctx, containerd.WithoutRefreshedMetadata)
+	if err != nil {
+		return err
+	}
+	ports, portErr := portutil.ParsePortsLabel(info.Labels)
+	if portErr != nil {
+		return fmt.Errorf("no oci spec: %q", portErr)
+	}
+	portMappings := []gocni.NamespaceOpts{
+		gocni.WithCapabilityPortMap(ports),
+	}
+
+	// retrieve info to get cni instance
+	spec, err := container.Spec(ctx)
+	if err != nil {
+		return err
+	}
+	networksJSON := spec.Annotations[labels.Networks]
+	var networks []string
+	if err := json.Unmarshal([]byte(networksJSON), &networks); err != nil {
+		return err
+	}
+	netType, err := nettype.Detect(networks)
+	if err != nil {
+		return err
+	}
+
+	switch netType {
+	case nettype.Host, nettype.None, nettype.Container:
+		// NOP
+	case nettype.CNI:
+		e, err := netutil.NewCNIEnv(globalOpts.CNIPath, globalOpts.CNINetConfPath, netutil.WithDefaultNetwork())
+		if err != nil {
+			return err
+		}
+		cniOpts := []gocni.Opt{
+			gocni.WithPluginDir([]string{globalOpts.CNIPath}),
+		}
+		netMap, err := e.NetworkMap()
+		if err != nil {
+			return err
+		}
+		for _, netstr := range networks {
+			net, ok := netMap[netstr]
+			if !ok {
+				return fmt.Errorf("no such network: %q", netstr)
+			}
+			cniOpts = append(cniOpts, gocni.WithConfListBytes(net.Bytes))
+		}
+		cni, err := gocni.New(cniOpts...)
+		if err != nil {
+			return err
+		}
+
+		var namespaceOpts []gocni.NamespaceOpts
+		namespaceOpts = append(namespaceOpts, portMappings...)
+		namespace := spec.Annotations[labels.Namespace]
+		fullID := namespace + "-" + container.ID()
+		if err := cni.Remove(ctx, fullID, "", namespaceOpts...); err != nil {
+			log.L.WithError(err).Errorf("failed to call cni.Remove")
+			return err
+		}
+		return nil
+	default:
+		return fmt.Errorf("unexpected network type %v", netType)
+	}
+	return nil
+}

pkg/cmd/container/stop.go

@@ -35,6 +35,9 @@ func Stop(ctx context.Context, client *containerd.Client, reqs []string, opt typ
 			if found.MatchCount > 1 {
 				return fmt.Errorf("multiple IDs found with provided prefix: %s", found.Req)
 			}
+			if err := cleanupNetwork(ctx, found.Container, opt.GOptions); err != nil {
+				return fmt.Errorf("unable to cleanup network for container: %s", found.Req)
+			}
 			if err := containerutil.Stop(ctx, found.Container, opt.Timeout); err != nil {
 				if errdefs.IsNotFound(err) {
 					fmt.Fprintf(opt.Stderr, "No such container: %s\n", found.Req)