Support --ip argument when run the container

Signed-off-by: Zheao.Li <me@manjusaka.me>

Author: Zheaoli

README.md

@@ -368,6 +368,7 @@ Network flags:
 - :whale: `--dns`: Set custom DNS servers
 - :whale: `-h, --hostname`: Container host name
 - :whale: `--add-host`: Add a custom host-to-IP mapping (host:ip)
+- :whale: `--ip`: Specific static IP address(es) to use
 
 Cgroup flags:
 - :whale: `--cpus`: Number of CPUs

cmd/nerdctl/run.go

@@ -121,6 +121,8 @@ func setCreateFlags(cmd *cobra.Command) {
 	cmd.Flags().StringSlice("dns", nil, "Set custom DNS servers")
 	// publish is defined as StringSlice, not StringArray, to allow specifying "--publish=80:80,443:443" (compatible with Podman)
 	cmd.Flags().StringSliceP("publish", "p", nil, "Publish a container's port(s) to the host")
+	// FIXME: not support IPV6 yet
+	cmd.Flags().String("ip", "", "IPv4 address to assign to the container")
 	cmd.Flags().StringP("hostname", "h", "", "Container host name")
 	// #endregion
 
@@ -469,7 +471,7 @@ func createContainer(cmd *cobra.Command, ctx context.Context, client *containerd
 	}
 	cOpts = append(cOpts, restartOpts...)
 
-	netOpts, netSlice, ports, err := generateNetOpts(cmd, dataStore, stateDir, ns, id)
+	netOpts, netSlice, ipAddress, ports, err := generateNetOpts(cmd, dataStore, stateDir, ns, id)
 	if err != nil {
 		return nil, "", nil, err
 	}
@@ -553,7 +555,7 @@ func createContainer(cmd *cobra.Command, ctx context.Context, client *containerd
 		return nil, "", nil, err
 	}
 	extraHosts = strutil.DedupeStrSlice(extraHosts)
-	ilOpt, err := withInternalLabels(ns, name, hostname, stateDir, extraHosts, netSlice, ports, logURI, anonVolumes, pidFile, platform)
+	ilOpt, err := withInternalLabels(ns, name, hostname, stateDir, extraHosts, netSlice, ipAddress, ports, logURI, anonVolumes, pidFile, platform)
 	if err != nil {
 		return nil, "", nil, err
 	}
@@ -794,7 +796,7 @@ func readKVStringsMapfFromLabel(cmd *cobra.Command) (map[string]string, error) {
 	return strutil.ConvertKVStringsToMap(labels), nil
 }
 
-func withInternalLabels(ns, name, hostname, containerStateDir string, extraHosts, networks []string, ports []gocni.PortMapping, logURI string, anonVolumes []string, pidFile, platform string) (containerd.NewContainerOpts, error) {
+func withInternalLabels(ns, name, hostname, containerStateDir string, extraHosts, networks []string, ipAddress string, ports []gocni.PortMapping, logURI string, anonVolumes []string, pidFile, platform string) (containerd.NewContainerOpts, error) {
 	m := make(map[string]string)
 	m[labels.Namespace] = ns
 	if name != "" {
@@ -834,6 +836,10 @@ func withInternalLabels(ns, name, hostname, containerStateDir string, extraHosts
 		m[labels.PIDFile] = pidFile
 	}
 
+	if ipAddress != "" {
+		m[labels.IPAddress] = ipAddress
+	}
+
 	m[labels.Platform], err = platformutil.NormalizeString(platform)
 	if err != nil {
 		return nil, err

cmd/nerdctl/run_network.go

@@ -35,6 +35,7 @@ import (
 	"github.com/containerd/nerdctl/pkg/rootlessutil"
 	"github.com/containerd/nerdctl/pkg/strutil"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 
@@ -104,21 +105,29 @@ func withCustomHosts(src string) func(context.Context, oci.Client, *containers.C
 	}
 }
 
-func generateNetOpts(cmd *cobra.Command, dataStore, stateDir, ns, id string) ([]oci.SpecOpts, []string, []gocni.PortMapping, error) {
+func generateNetOpts(cmd *cobra.Command, dataStore, stateDir, ns, id string) ([]oci.SpecOpts, []string, string, []gocni.PortMapping, error) {
 	opts := []oci.SpecOpts{}
 	portSlice, err := cmd.Flags().GetStringSlice("publish")
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, "", nil, err
+	}
+	ipAddress, err := cmd.Flags().GetString("ip")
+	if err != nil {
+		return nil, nil, "", nil, err
 	}
 	netSlice, err := getNetworkSlice(cmd)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, "", nil, err
+	}
+
+	if (netSlice == nil || len(netSlice) == 0) && (ipAddress != "") {
+		logrus.Warnf("You have assign an IP address %s but no network, So we will use the default network", ipAddress)
 	}
 
 	ports := make([]gocni.PortMapping, 0)
 	netType, err := nettype.Detect(netSlice)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, "", nil, err
 	}
 
 	switch netType {
@@ -131,44 +140,44 @@ func generateNetOpts(cmd *cobra.Command, dataStore, stateDir, ns, id string) ([]
 		// The actual network is configured in the oci hook.
 		cniPath, err := cmd.Flags().GetString("cni-path")
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, "", nil, err
 		}
 		cniNetconfpath, err := cmd.Flags().GetString("cni-netconfpath")
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, "", nil, err
 		}
 		e, err := netutil.NewCNIEnv(cniPath, cniNetconfpath)
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, "", nil, err
 		}
 		netMap := e.NetworkMap()
 		for _, netstr := range netSlice {
 			_, ok := netMap[netstr]
 			if !ok {
-				return nil, nil, nil, fmt.Errorf("network %s not found", netstr)
+				return nil, nil, "", nil, fmt.Errorf("network %s not found", netstr)
 			}
 		}
 
 		resolvConfPath := filepath.Join(stateDir, "resolv.conf")
 		dnsValue, err := cmd.Flags().GetStringSlice("dns")
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, "", nil, err
 		}
 		if runtime.GOOS == "linux" {
 			conf, err := resolvconf.Get()
 			if err != nil {
-				return nil, nil, nil, err
+				return nil, nil, "", nil, err
 			}
 			slirp4Dns := []string{}
 			if rootlessutil.IsRootlessChild() {
 				slirp4Dns, err = dnsutil.GetSlirp4netnsDns()
 				if err != nil {
-					return nil, nil, nil, err
+					return nil, nil, "", nil, err
 				}
 			}
 			conf, err = resolvconf.FilterResolvDNS(conf.Content, true)
 			if err != nil {
-				return nil, nil, nil, err
+				return nil, nil, "", nil, err
 			}
 			searchDomains := resolvconf.GetSearchDomains(conf.Content)
 			dnsOptions := resolvconf.GetOptions(conf.Content)
@@ -177,25 +186,25 @@ func generateNetOpts(cmd *cobra.Command, dataStore, stateDir, ns, id string) ([]
 				nameServers = resolvconf.GetNameservers(conf.Content, resolvconf.IPv4)
 			}
 			if _, err := resolvconf.Build(resolvConfPath, append(slirp4Dns, nameServers...), searchDomains, dnsOptions); err != nil {
-				return nil, nil, nil, err
+				return nil, nil, "", nil, err
 			}
 
 			// the content of /etc/hosts is created in OCI Hook
 			etcHostsPath, err := hostsstore.AllocHostsFile(dataStore, ns, id)
 			if err != nil {
-				return nil, nil, nil, err
+				return nil, nil, "", nil, err
 			}
 			opts = append(opts, withCustomResolvConf(resolvConfPath), withCustomHosts(etcHostsPath))
 			for _, p := range portSlice {
 				pm, err := portutil.ParseFlagP(p)
 				if err != nil {
-					return nil, nil, pm, err
+					return nil, nil, "", pm, err
 				}
 				ports = append(ports, pm...)
 			}
 		}
 	default:
-		return nil, nil, nil, fmt.Errorf("unexpected network type %v", netType)
+		return nil, nil, "", nil, fmt.Errorf("unexpected network type %v", netType)
 	}
-	return opts, netSlice, ports, nil
+	return opts, netSlice, ipAddress, ports, nil
 }

cmd/nerdctl/run_network_linux_test.go

@@ -395,3 +395,75 @@ func TestRunPort(t *testing.T) {
 	}
 
 }
+
+func TestRunContainerWithStaticIP(t *testing.T) {
+	if rootlessutil.IsRootless() {
+		t.Skip("Static IP assignment is not supported rootless mode yet.")
+	}
+	networkName := "test-network"
+	networkSubnet := "172.0.0.0/16"
+	base := testutil.NewBase(t)
+	cmd := base.Cmd("network", "create", networkName, "--subnet", networkSubnet)
+	cmd.AssertOK()
+	defer base.Cmd("network", "rm", networkName).Run()
+	testCases := []struct {
+		ip                string
+		shouldSuccess     bool
+		useNetwork        bool
+		checkTheIpAddress bool
+	}{
+		{
+			ip:                "172.0.0.2",
+			shouldSuccess:     true,
+			useNetwork:        true,
+			checkTheIpAddress: true,
+		},
+		{
+			ip:                "192.0.0.2",
+			shouldSuccess:     false,
+			useNetwork:        true,
+			checkTheIpAddress: false,
+		},
+		{
+			ip:                "10.4.0.2",
+			shouldSuccess:     true,
+			useNetwork:        false,
+			checkTheIpAddress: false,
+		},
+	}
+	tID := testutil.Identifier(t)
+	for i, tc := range testCases {
+		i := i
+		tc := tc
+		tcName := fmt.Sprintf("%+v", tc)
+		t.Run(tcName, func(t *testing.T) {
+			testContainerName := fmt.Sprintf("%s-%d", tID, i)
+			base := testutil.NewBase(t)
+			defer base.Cmd("rm", "-f", testContainerName).Run()
+			args := []string{
+				"run", "-d", "--name", testContainerName,
+			}
+			if tc.useNetwork {
+				args = append(args, []string{"--network", networkName}...)
+			}
+			args = append(args, []string{"--ip", tc.ip, testutil.NginxAlpineImage}...)
+			cmd := base.Cmd(args...)
+			if !tc.shouldSuccess {
+				cmd.AssertFail()
+				return
+			} else {
+				cmd.AssertOK()
+			}
+			if tc.checkTheIpAddress {
+				inspectCmd := base.Cmd("inspect", testContainerName, "--format", "\"{{range .NetworkSettings.Networks}} {{.IPAddress}}{{end}}\"")
+				result := inspectCmd.Run()
+				stdoutContent := result.Stdout() + result.Stderr()
+				assert.Assert(cmd.Base.T, result.ExitCode == 0, stdoutContent)
+				if !strings.Contains(stdoutContent, tc.ip) {
+					t.Fail()
+					return
+				}
+			}
+		})
+	}
+}

pkg/labels/labels.go

@@ -57,6 +57,10 @@ const (
 	// Ports is a JSON-marshalled string of []gocni.PortMapping .
 	Ports = Prefix + "ports"
 
+	// IPAddress is the static IP address of the container assigned by the user
+
+	IPAddress = Prefix + "ip"
+
 	// LogURI is the log URI
 	LogURI = Prefix + "log-uri"
 

pkg/ocihook/ocihook.go

@@ -195,6 +195,10 @@ func newHandlerOpts(state *specs.State, dataStore, cniPath, cniNetconfPath strin
 		}
 	}
 
+	if ipAddress, ok := o.state.Annotations[labels.IPAddress]; ok {
+		o.containerIP = ipAddress
+	}
+
 	if rootlessutil.IsRootlessChild() {
 		o.rootlessKitClient, err = rootlessutil.NewRootlessKitClient()
 		if err != nil {
@@ -229,6 +233,7 @@ type handlerOpts struct {
 	rootlessKitClient rlkclient.Client
 	bypassClient      b4nndclient.Client
 	extraHosts        map[string]string // ip:host
+	containerIP       string
 }
 
 // hookSpec is from https://github.com/containerd/containerd/blob/v1.4.3/cmd/containerd/command/oci-hook.go#L59-L64
@@ -321,6 +326,25 @@ func getPortMapOpts(opts *handlerOpts) ([]gocni.NamespaceOpts, error) {
 	return nil, nil
 }
 
+func getIPAddressOpts(opts *handlerOpts) ([]gocni.NamespaceOpts, error) {
+	if opts.containerIP != "" {
+		if rootlessutil.IsRootlessChild() {
+			return nil, fmt.Errorf("containerIP assignment is not supported in rootless mode")
+		}
+
+		return []gocni.NamespaceOpts{
+			gocni.WithLabels(map[string]string{
+				// Special tick for go-cni. Because go-cni marks all labels and args as same
+				// So, we need add a special label to pass the containerIP to the host-local plugin.
+				// FYI: https://github.com/containerd/go-cni/blob/v1.1.3/README.md?plain=1#L57-L64
+				"IgnoreUnknown": "1",
+			}),
+			gocni.WithArgs("IP", opts.containerIP),
+		}, nil
+	}
+	return nil, nil
+}
+
 func onCreateRuntime(opts *handlerOpts) error {
 	loadAppArmor()
 
@@ -338,6 +362,13 @@ func onCreateRuntime(opts *handlerOpts) error {
 		if err != nil {
 			return err
 		}
+		ipAddressOpts, err := getIPAddressOpts(opts)
+		if err != nil {
+			return err
+		}
+		var namespaceOpts []gocni.NamespaceOpts
+		namespaceOpts = append(namespaceOpts, portMapOpts...)
+		namespaceOpts = append(namespaceOpts, ipAddressOpts...)
 		hsMeta := hostsstore.Meta{
 			Namespace:  opts.state.Annotations[labels.Namespace],
 			ID:         opts.state.ID,
@@ -346,7 +377,7 @@ func onCreateRuntime(opts *handlerOpts) error {
 			ExtraHosts: opts.extraHosts,
 			Name:       opts.state.Annotations[labels.Name],
 		}
-		cniRes, err := opts.cni.Setup(ctx, opts.fullID, nsPath, portMapOpts...)
+		cniRes, err := opts.cni.Setup(ctx, opts.fullID, nsPath, namespaceOpts...)
 		if err != nil {
 			return fmt.Errorf("failed to call cni.Setup: %w", err)
 		}
@@ -424,7 +455,14 @@ func onPostStop(opts *handlerOpts) error {
 		if err != nil {
 			return err
 		}
-		if err := opts.cni.Remove(ctx, opts.fullID, "", portMapOpts...); err != nil {
+		ipAddressOpts, err := getIPAddressOpts(opts)
+		if err != nil {
+			return err
+		}
+		var namespaceOpts []gocni.NamespaceOpts
+		namespaceOpts = append(namespaceOpts, portMapOpts...)
+		namespaceOpts = append(namespaceOpts, ipAddressOpts...)
+		if err := opts.cni.Remove(ctx, opts.fullID, "", namespaceOpts...); err != nil {
 			logrus.WithError(err).Errorf("failed to call cni.Remove")
 			return err
 		}