Add new feature for custom workspace network CIDR

Author: aledbf

components/ws-daemon/nsinsider/main.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -268,22 +269,30 @@ func main() {
 						Name:     "target-pid",
 						Required: true,
 					},
+					&cli.IntFlag{
+						Name:     "workspace-cidr",
+						Required: true,
+					},
 				},
 				Action: func(c *cli.Context) error {
 					containerIf, vethIf, cethIf := "eth0", "veth0", "eth0"
-					mask := net.IPv4Mask(255, 255, 255, 0)
-					vethIp := net.IPNet{
-						IP:   net.IPv4(10, 0, 5, 1),
-						Mask: mask,
+					networkCIDR := c.String("workspace-cidr")
+
+					vethIp, cethIp, mask, err := processWorkspaceCIDR(networkCIDR)
+					if err != nil {
+						return xerrors.Errorf("parsing workspace CIDR (%v):%v", networkCIDR, err)
 					}
-					cethIp := net.IPNet{
-						IP:   net.IPv4(10, 0, 5, 2),
-						Mask: mask,
+
+					vethIpNet := net.IPNet{
+						IP:   net.ParseIP(vethIp.String()),
+						Mask: mask.Mask,
 					}
+
 					masqueradeAddr := net.IPNet{
-						IP:   vethIp.IP.Mask(mask),
-						Mask: mask,
+						IP:   vethIpNet.IP.Mask(mask.Mask),
+						Mask: mask.Mask,
 					}
+
 					targetPid := c.Int("target-pid")
 
 					eth0, err := netlink.LinkByName(containerIf)
@@ -308,7 +317,7 @@ func main() {
 					if err != nil {
 						return xerrors.Errorf("cannot found %q netns failed: %v", vethIf, err)
 					}
-					if err := netlink.AddrAdd(vethLink, &netlink.Addr{IPNet: &vethIp}); err != nil {
+					if err := netlink.AddrAdd(vethLink, &netlink.Addr{IPNet: &vethIpNet}); err != nil {
 						return xerrors.Errorf("failed to add IP address to %q: %v", vethIf, err)
 					}
 					if err := netlink.LinkSetUp(vethLink); err != nil {
@@ -329,7 +338,6 @@ func main() {
 						Type:     nftables.ChainTypeNAT,
 					})
 
-					// ip saddr 10.0.5.0/24 oifname "eth0" masquerade
 					nc.AddRule(&nftables.Rule{
 						Table: nat,
 						Chain: postrouting,
@@ -408,7 +416,7 @@ func main() {
 
 							&expr.Immediate{
 								Register: 2,
-								Data:     cethIp.IP.To4(),
+								Data:     cethIp,
 							},
 							&expr.NAT{
 								Type:        expr.NATTypeDestNAT,
@@ -431,21 +439,23 @@ func main() {
 				Usage: "set up a peer veth",
 				Action: func(c *cli.Context) error {
 					cethIf := "eth0"
-					mask := net.IPv4Mask(255, 255, 255, 0)
-					cethIp := net.IPNet{
-						IP:   net.IPv4(10, 0, 5, 2),
-						Mask: mask,
+
+					networkCIDR := c.String("workspace-cidr")
+					vethIp, cethIp, mask, err := processWorkspaceCIDR(networkCIDR)
+					if err != nil {
+						return xerrors.Errorf("parsing workspace CIDR (%v):%v", networkCIDR, err)
 					}
-					vethIp := net.IPNet{
-						IP:   net.IPv4(10, 0, 5, 1),
-						Mask: mask,
+
+					cethIpNet := net.IPNet{
+						IP:   net.ParseIP(cethIp.String()),
+						Mask: mask.Mask,
 					}
 
 					cethLink, err := netlink.LinkByName(cethIf)
 					if err != nil {
 						return xerrors.Errorf("cannot found %q netns failed: %v", cethIf, err)
 					}
-					if err := netlink.AddrAdd(cethLink, &netlink.Addr{IPNet: &cethIp}); err != nil {
+					if err := netlink.AddrAdd(cethLink, &netlink.Addr{IPNet: &cethIpNet}); err != nil {
 						return xerrors.Errorf("failed to add IP address to %q: %v", cethIf, err)
 					}
 					if err := netlink.LinkSetUp(cethLink); err != nil {
@@ -462,7 +472,7 @@ func main() {
 
 					defaultGw := netlink.Route{
 						Scope: netlink.SCOPE_UNIVERSE,
-						Gw:    vethIp.IP,
+						Gw:    vethIp,
 					}
 					if err := netlink.RouteReplace(&defaultGw); err != nil {
 						return xerrors.Errorf("failed to set up deafult gw: %v", err)
@@ -687,3 +697,27 @@ const (
 	// FlagAtRecursive: Apply to the entire subtree: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fcntl.h#L112
 	flagAtRecursive = 0x8000
 )
+
+func processWorkspaceCIDR(networkCIDR string) (net.IP, net.IP, *net.IPNet, error) {
+	netIP, mask, err := net.ParseCIDR(networkCIDR)
+	if err != nil {
+		return nil, nil, nil, xerrors.Errorf("cannot configure workspace CIDR: %w", err)
+	}
+
+	addr, err := netip.ParseAddr(netIP.String())
+	if err != nil {
+		return nil, nil, nil, xerrors.Errorf("cannot configure workspace CIDR: %w", err)
+	}
+
+	vethIp := addr.Next()
+	if !vethIp.IsValid() {
+		return nil, nil, nil, xerrors.Errorf("workspace CIDR is not big enough (%v)", networkCIDR)
+	}
+
+	cethIp := vethIp.Next()
+	if !cethIp.IsValid() {
+		return nil, nil, nil, xerrors.Errorf("workspace CIDR is not big enough (%v)", networkCIDR)
+	}
+
+	return net.ParseIP(vethIp.String()), net.ParseIP(cethIp.String()), mask, nil
+}

components/ws-daemon/pkg/content/hooks.go

@@ -26,7 +26,7 @@ import (
 func WorkspaceLifecycleHooks(cfg Config, workspaceExistenceCheck WorkspaceExistenceCheck, uidmapper *iws.Uidmapper, xfs *quota.XFS, cgroupMountPoint string) map[session.WorkspaceState][]session.WorkspaceLivecycleHook {
 	// startIWS starts the in-workspace service for a workspace. This lifecycle hook is idempotent, hence can - and must -
 	// be called on initialization and ready. The on-ready hook exists only to support ws-daemon restarts.
-	startIWS := iws.ServeWorkspace(uidmapper, api.FSShiftMethod(cfg.UserNamespaces.FSShift), cgroupMountPoint)
+	startIWS := iws.ServeWorkspace(uidmapper, api.FSShiftMethod(cfg.UserNamespaces.FSShift), cgroupMountPoint, cfg.WorkspaceCIDR)
 
 	return map[session.WorkspaceState][]session.WorkspaceLivecycleHook{
 		session.WorkspaceInitializing: {

components/ws-daemon/pkg/daemon/config.go

@@ -43,6 +43,8 @@ type RuntimeConfig struct {
 	Kubeconfig          string            `json:"kubeconfig"`
 	KubernetesNamespace string            `json:"namespace"`
 	SecretsNamespace    string            `json:"secretsNamespace"`
+
+	WorkspaceNetworkCIDR string `json:"workspaceNetworkCIDR,omitempty"`
 }
 
 type IOLimitConfig struct {

components/ws-daemon/pkg/iws/iws.go

@@ -84,7 +84,7 @@ var (
 )
 
 // ServeWorkspace establishes the IWS server for a workspace
-func ServeWorkspace(uidmapper *Uidmapper, fsshift api.FSShiftMethod, cgroupMountPoint string) func(ctx context.Context, ws *session.Workspace) error {
+func ServeWorkspace(uidmapper *Uidmapper, fsshift api.FSShiftMethod, cgroupMountPoint string, workspaceCIDR string) func(ctx context.Context, ws *session.Workspace) error {
 	return func(ctx context.Context, ws *session.Workspace) (err error) {
 		span, _ := opentracing.StartSpanFromContext(ctx, "iws.ServeWorkspace")
 		defer tracing.FinishSpan(span, &err)
@@ -139,6 +139,8 @@ type InWorkspaceServiceServer struct {
 	FSShift          api.FSShiftMethod
 	CGroupMountPoint string
 
+	WorkspaceCIDR string
+
 	srv  *grpc.Server
 	sckt io.Closer
 
@@ -361,7 +363,10 @@ func (wbs *InWorkspaceServiceServer) SetupPairVeths(ctx context.Context, req *ap
 	}
 
 	err = nsi.Nsinsider(wbs.Session.InstanceID, int(containerPID), func(c *exec.Cmd) {
-		c.Args = append(c.Args, "setup-pair-veths", "--target-pid", strconv.Itoa(int(req.Pid)))
+		c.Args = append(c.Args, "setup-pair-veths",
+			"--target-pid", strconv.Itoa(int(req.Pid)),
+			fmt.Sprintf("--workspace-cidr=%v", wbs.WorkspaceCIDR),
+		)
 	}, nsi.EnterMountNS(true), nsi.EnterPidNS(true), nsi.EnterNetNS(true))
 	if err != nil {
 		log.WithError(err).WithFields(wbs.Session.OWI()).Error("SetupPairVeths: cannot setup a pair of veths")
@@ -373,7 +378,9 @@ func (wbs *InWorkspaceServiceServer) SetupPairVeths(ctx context.Context, req *ap
 		return nil, xerrors.Errorf("cannot map in-container PID %d (container PID: %d): %w", req.Pid, containerPID, err)
 	}
 	err = nsi.Nsinsider(wbs.Session.InstanceID, int(pid), func(c *exec.Cmd) {
-		c.Args = append(c.Args, "setup-peer-veth")
+		c.Args = append(c.Args, "setup-peer-veth",
+			fmt.Sprintf("--workspace-cidr=%v", wbs.WorkspaceCIDR),
+		)
 	}, nsi.EnterMountNS(true), nsi.EnterPidNS(true), nsi.EnterNetNS(true))
 	if err != nil {
 		log.WithError(err).WithFields(wbs.Session.OWI()).Error("SetupPairVeths: cannot setup a peer veths")

install/installer/pkg/cluster/checks.go

@@ -7,6 +7,8 @@ package cluster
 import (
 	"context"
 	"fmt"
+	"net"
+	"net/netip"
 	"strings"
 
 	"github.com/Masterminds/semver"
@@ -291,3 +293,53 @@ func checkNamespaceExists(ctx context.Context, config *rest.Config, namespace st
 
 	return nil, nil
 }
+
+func CheckWorkspaceNetworkCIDR(networkCIDR string) ValidationCheck {
+	return ValidationCheck{
+		Name:        "workspace CIDR is present and valid",
+		Description: "ensures the workspace CIDR contains a valid network address range",
+		Check: func(ctx context.Context, config *rest.Config, namespace string) ([]ValidationError, error) {
+			netIP, _, err := net.ParseCIDR(networkCIDR)
+			if err != nil {
+				return []ValidationError{
+					{
+						Message: fmt.Sprintf("invalid workspace CIDR: %v", err),
+						Type:    ValidationStatusError,
+					},
+				}, nil
+			}
+
+			addr, err := netip.ParseAddr(netIP.String())
+			if err != nil {
+				return []ValidationError{
+					{
+						Message: fmt.Sprintf("invalid workspace CIDR: %v", err),
+						Type:    ValidationStatusError,
+					},
+				}, nil
+			}
+
+			vethIp := addr.Next()
+			if !vethIp.IsValid() {
+				return []ValidationError{
+					{
+						Message: fmt.Sprintf("workspace CIDR is not big enough (%v)", networkCIDR),
+						Type:    ValidationStatusError,
+					},
+				}, nil
+			}
+
+			cethIp := vethIp.Next()
+			if !cethIp.IsValid() {
+				return []ValidationError{
+					{
+						Message: fmt.Sprintf("workspace CIDR is not big enough (%v)", networkCIDR),
+						Type:    ValidationStatusError,
+					},
+				}, nil
+			}
+
+			return nil, nil
+		},
+	}
+}

install/installer/pkg/components/ws-daemon/configmap.go

@@ -66,6 +66,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	runtimeMapping[ctx.Config.Workspace.Runtime.ContainerDRuntimeDir] = "/mnt/node0"
 
 	var wscontroller daemon.WorkspaceControllerConfig
+	var workspaceNetworkCIDR string
 
 	ctx.WithExperimental(func(ucfg *experimental.Config) error {
 		if ucfg.Workspace == nil {
@@ -105,6 +106,8 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		wscontroller.WorkingAreaSuffix = "-mk2"
 		wscontroller.MaxConcurrentReconciles = 15
 
+		workspaceNetworkCIDR = ucfg.Workspace.WorkspaceNetworkCIDR
+
 		return nil
 	})
 
@@ -123,6 +126,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 						SocketPath: "/mnt/containerd/containerd.sock",
 					},
 				},
+				WorkspaceNetworkCIDR: workspaceNetworkCIDR,
 			},
 			Content: content.Config{
 				WorkingArea:     "/mnt/workingarea",

install/installer/pkg/config/v1/experimental/experimental.go

@@ -68,6 +68,8 @@ type WorkspaceConfig struct {
 	WorkspaceURLTemplate     string   `json:"workspaceURLTemplate,omitempty"`
 	WorkspacePortURLTemplate string   `json:"workspacePortURLTemplate,omitempty"`
 
+	WorkspaceNetworkCIDR string `json:"workspaceNetworkCIDR,omitempty"`
+
 	CPULimits struct {
 		Enabled          bool              `json:"enabled"`
 		NodeCPUBandwidth resource.Quantity `json:"nodeBandwidth"`

install/installer/pkg/config/v1/experimental/validation.go

@@ -46,6 +46,13 @@ func ClusterValidation(cfg *Config) cluster.ValidationChecks {
 		if scr := cfg.Workspace.RegistryFacade.RedisCache.PasswordSecret; scr != "" {
 			res = append(res, cluster.CheckSecret(scr, cluster.CheckSecretRequiredData("password")))
 		}
+
+		if cfg.Workspace.WorkspaceNetworkCIDR == "" {
+			// default workspace network CIDR fallback
+			cfg.Workspace.WorkspaceNetworkCIDR = "10.0.5.0/31"
+		} else {
+			res = append(res, cluster.CheckWorkspaceNetworkCIDR(cfg.Workspace.WorkspaceNetworkCIDR))
+		}
 	}
 
 	return res