Install CNI Refactor

Dockerfile.in

@@ -16,9 +16,11 @@ FROM ARG_FROM
 
 MAINTAINER Jing Ai <[email protected]>
 
+// TODO remove jq
 RUN apk --update add --no-cache curl iptables ip6tables jq \
     && rm -rf /var/cache/apk/*
 
+// TODO use golang binary
 ADD scripts/install-cni.sh /install-cni.sh
 ADD bin/ARG_ARCH/ARG_BIN /ARG_BIN
 

Makefile

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# TODO refactor Makefile to build multiple binaries https://github.com/thockin/go-build-template/blob/master/Makefile
 # The binary to build (just the basename).
 BIN := netd
 
@@ -38,7 +39,7 @@ GOLANGCI_LINT_VERSION := v1.30.0
 ### These variables should not need tweaking.
 ###
 
-SRC_DIRS := cmd pkg # directories which hold app source (not vendored)
+SRC_DIRS := cmd pkg internal # directories which hold app source (not vendored)
 
 ALL_ARCH := amd64 arm arm64 ppc64le
 

cmd/install-cni/main.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2020 Google Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/golang/glog"
+
+	"github.com/GoogleCloudPlatform/netd/pkg/install-cni/cmd"
+)
+
+func main() {
+	// Create context that cancels on termination signal
+	ctx, cancel := context.WithCancel(context.Background())
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
+	go func(sigChan chan os.Signal, cancel context.CancelFunc) {
+		sig := <-sigChan
+		glog.Infof("Exit signal received: %s", sig)
+		cancel()
+	}(sigChan, cancel)
+
+	rootCmd := cmd.GetCommand()
+	if err := rootCmd.ExecuteContext(ctx); err != nil {
+		os.Exit(1)
+	}
+}

cmd/netd/main.go

@@ -27,9 +27,9 @@ import (
 	"github.com/golang/glog"
 	"github.com/spf13/pflag"
 
-	"github.com/GoogleCloudPlatform/netd/pkg/controllers/netconf"
-	"github.com/GoogleCloudPlatform/netd/pkg/metrics"
-	"github.com/GoogleCloudPlatform/netd/pkg/options"
+	"github.com/GoogleCloudPlatform/netd/pkg/netd/controllers/netconf"
+	"github.com/GoogleCloudPlatform/netd/pkg/netd/metrics"
+	"github.com/GoogleCloudPlatform/netd/pkg/netd/options"
 	"github.com/GoogleCloudPlatform/netd/pkg/version"
 )
 

go.mod

@@ -3,20 +3,23 @@ module github.com/GoogleCloudPlatform/netd
 go 1.14
 
 require (
-	github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 // indirect
+	github.com/containernetworking/cni v0.8.0
 	github.com/containernetworking/plugins v0.7.3
-	github.com/coreos/go-iptables v0.4.0
-	github.com/gogo/protobuf v1.3.1 // indirect
+	github.com/coreos/etcd v3.3.24+incompatible
+	github.com/coreos/go-iptables v0.4.5
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
+	github.com/fsnotify/fsnotify v1.4.7
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/protobuf v1.2.0 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/prometheus/client_golang v0.9.0
-	github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 // indirect
-	github.com/prometheus/common v0.0.0-20181015124227-bcb74de08d37 // indirect
-	github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d // indirect
-	github.com/spf13/pflag v1.0.3
+	github.com/prometheus/client_golang v0.9.3
+	github.com/spf13/cobra v1.0.0
+	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.7.1
+	github.com/stretchr/testify v1.6.1
 	github.com/vishvananda/netlink v1.0.0
 	github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc // indirect
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 // indirect
-	golang.org/x/sys v0.0.0-20181011152604-fa43e7bc11ba
+	golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7
+	k8s.io/api v0.18.8
+	k8s.io/apimachinery v0.18.8
+	k8s.io/client-go v0.18.8
+	k8s.io/utils v0.0.0-20200815180417-3bc9d57fc792 // indirect
 )

internal/ipt/ipt.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2020 Google Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package ipt defines the iptables interfaces.
+package ipt
+
+import (
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/golang/glog"
+)
+
+var (
+	IPv4Tables *iptables.IPTables
+	IPv6Tables *iptables.IPTables
+)
+
+func init() {
+	var err error
+	if IPv4Tables, err = iptables.NewWithProtocol(iptables.ProtocolIPv4); err != nil {
+		glog.Errorf("failed to initialize iptables: %v", err)
+	}
+	if IPv6Tables, err = iptables.NewWithProtocol(iptables.ProtocolIPv6); err != nil {
+		glog.Errorf("failed to initialize ip6tables: %v", err)
+	}
+}
+
+type Error interface {
+	ExitStatus() int
+	IsNotExist() bool
+}
+
+type IPTabler interface {
+	NewChain(table, chain string) error
+	ClearChain(table, chain string) error
+	DeleteChain(table, chain string) error
+	List(table, chain string) ([]string, error)
+	Insert(table, chain string, pos int, rulespec ...string) error
+	AppendUnique(table, chain string, rulespec ...string) error
+	Delete(table, chain string, rulespec ...string) error
+}
+
+// IPTablesRule defines an iptables rule
+type IPTablesRule []string
+
+// IPTablesSpec defines iptables rules and the associated table and chain
+type IPTablesSpec struct {
+	TableName string
+	ChainName string
+	Rules     []IPTablesRule
+	IPT       IPTabler
+}

internal/ipt/ipttest/ipttest.go

@@ -0,0 +1,164 @@
+/*
+Copyright 2020 Google Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package ipttest provides utilities for IPTables mock testing.
+package ipttest
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	AcceptPolicy = "ACCEPT"
+	DropPolicy   = "DROP"
+)
+
+const (
+	AlreadyExistErr = iota + 1
+	NotExistErr
+)
+
+type FakeError struct {
+	exitStatus int
+}
+
+func NewFakeError(exitStatus int) *FakeError {
+	return &FakeError{
+		exitStatus: exitStatus,
+	}
+}
+
+func (e *FakeError) Error() string {
+	return ""
+}
+
+func (e *FakeError) ExitStatus() int {
+	return e.exitStatus
+}
+
+func (e *FakeError) IsNotExist() bool {
+	return e.exitStatus == NotExistErr
+}
+
+type FakeIPTable struct {
+	Rules    map[string][]string
+	Policies map[string]string
+}
+
+type FakeIPTables struct {
+	Tables map[string]*FakeIPTable
+}
+
+func NewFakeIPTable() *FakeIPTable {
+	return &FakeIPTable{
+		Rules:    make(map[string][]string),
+		Policies: make(map[string]string),
+	}
+}
+
+func NewFakeIPTables(tableNames ...string) *FakeIPTables {
+	tables := make(map[string]*FakeIPTable)
+	for _, name := range tableNames {
+		tables[name] = NewFakeIPTable()
+	}
+	return &FakeIPTables{
+		Tables: tables,
+	}
+}
+
+func (i FakeIPTables) NewChain(table, chain string) error {
+	if _, ok := i.Tables[table].Rules[chain]; ok {
+		// Chain already exists
+		return NewFakeError(AlreadyExistErr)
+	}
+
+	i.Tables[table].Rules[chain] = make([]string, 0, 5)
+	// Default chain policy
+	i.Tables[table].Policies[chain] = AcceptPolicy
+	return nil
+}
+
+func (i FakeIPTables) ClearChain(table, chain string) error {
+	i.Tables[table].Rules[chain] = make([]string, 0, 5)
+	return nil
+}
+func (i FakeIPTables) DeleteChain(table, chain string) error {
+	if _, ok := i.Tables[table].Rules[chain]; !ok {
+		// Chain does not exist
+		return NewFakeError(NotExistErr)
+	}
+
+	delete(i.Tables[table].Rules, chain)
+	delete(i.Tables[table].Policies, chain)
+
+	return nil
+}
+
+func (i FakeIPTables) List(table, chain string) ([]string, error) {
+	if _, ok := i.Tables[table].Rules[chain]; !ok {
+		// Chain does not exist
+		return nil, NewFakeError(NotExistErr)
+	}
+
+	return append([]string{fmt.Sprintf("-P %s %s", chain, i.Tables[table].Policies[chain])}, i.Tables[table].Rules[chain]...), nil
+}
+
+func (i FakeIPTables) Insert(table, chain string, pos int, rulespec ...string) error {
+	rule := strings.Join(rulespec, " ")
+	if _, ok := i.Tables[table].Rules[chain]; !ok {
+		// Chain does not exist
+		return NewFakeError(NotExistErr)
+	}
+	// Valid iptables rules position: 1 to len(chain) + 1
+	index := pos - 1
+	if index < 0 || pos > len(i.Tables[table].Rules[chain]) {
+		return fmt.Errorf("pos out of bounds: %d", pos)
+	}
+
+	if index == len(i.Tables[table].Rules[chain]) {
+		i.Tables[table].Rules[chain] = append(i.Tables[table].Rules[chain], rule)
+	} else {
+		i.Tables[table].Rules[chain] = append(i.Tables[table].Rules[chain][:index+1], i.Tables[table].Rules[chain][index:]...)
+		i.Tables[table].Rules[chain][index] = rule
+	}
+
+	return nil
+}
+
+func (i FakeIPTables) AppendUnique(table, chain string, rulespec ...string) error {
+	rule := strings.Join(rulespec, " ")
+	for _, r := range i.Tables[table].Rules[chain] {
+		if r == rule {
+			return nil
+		}
+	}
+	i.Tables[table].Rules[chain] = append(i.Tables[table].Rules[chain], rule)
+	return nil
+}
+func (i FakeIPTables) Delete(table, chain string, rulespec ...string) error {
+	rule := strings.Join(rulespec, " ")
+	for index, r := range i.Tables[table].Rules[chain] {
+		if r == rule {
+			i.Tables[table].Rules[chain] = append(i.Tables[table].Rules[chain][:index], i.Tables[table].Rules[chain][index+1:]...)
+			return nil
+		}
+	}
+
+	delete(i.Tables[table].Rules, chain)
+
+	return nil
+}