hakoniwa 1.7.0

Process isolation for Linux using namespaces, resource limits, cgroups, landlock and seccomp.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

use nix::unistd::Pid;
use std::process::Command;

use super::SetupStatus;
use crate::error::*;

/// Use [pasta(1)](https://passt.top) to create a user-mode networking stack.
///
/// By default, IPv4 and IPv6 addresses and routes are copied from the host.
/// [OPTIONS](https://passt.top/builds/latest/web/passt.1.html) described in
/// pasta(1) can be specified as [Pasta::args].
///
/// In terms of pasta(1) options, **--config-net** is given by default, in order to configure
/// networking when the container is started, and **--no-map-gw** is also assumed by default,
/// to avoid direct access from container to host using the gateway address. The latter can
/// be overridden by passing **--map-gw** in the pasta-specific options (despite not being
/// an actual pasta(1) option).
///
/// Also, **-t none** and **-u none** are passed if, respectively, no TCP or UDP port forwarding
/// from host to container is configured, to disable automatic port forwarding based on bound
/// ports. Similarly, **-T none** and **-U none** are given to disable the same functionality
/// from container to host.
#[derive(Clone, Debug)]
pub struct Pasta {
    pub(crate) prog: String,
    args: Vec<String>,
}

impl Pasta {
    /// Sets the path of the program.
    pub fn program(&mut self, program: &str) -> &mut Self {
        self.prog = program.to_string();
        self
    }

    /// Adds multiple arguments to pass to the program.
    pub fn args<I, S>(&mut self, args: I) -> &mut Self
    where
        I: IntoIterator<Item = S>,
        S: AsRef<str>,
    {
        for arg in args {
            self.args.push(arg.as_ref().to_string());
        }
        self
    }
}

impl Default for Pasta {
    fn default() -> Self {
        Self {
            prog: "pasta".to_string(),
            args: vec![],
        }
    }
}

impl Pasta {
    pub(crate) fn mainp_setup(pasta: &Self, child: Pid) -> Result<SetupStatus> {
        let cmdline = Self::to_cmdline(pasta, child);
        log::debug!("Configuring Network: Execve: {cmdline:?}");

        let output = Command::new(cmdline[0].clone())
            .args(&cmdline[1..])
            .output();
        match output {
            Ok(output) if output.status.success() => {
                let output = format!("\n{}", String::from_utf8_lossy(&output.stderr).trim());
                log::debug!("Configuring Network: Output: {output}");
                Ok(SetupStatus::None)
            }
            Ok(output) => {
                let errmsg = format!("\n{}", String::from_utf8_lossy(&output.stderr).trim());
                Err(ProcessErrorKind::SetupNetworkFailed(errmsg))?
            }
            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
                let errmsg = format!("command {:?} not found", pasta.prog);
                Err(ProcessErrorKind::SetupNetworkFailed(errmsg))?
            }
            Err(err) => {
                let errmsg = format!("{err}");
                Err(ProcessErrorKind::SetupNetworkFailed(errmsg))?
            }
        }
    }

    // [podman#createPastaArgs]: https://github.com/containers/common/blob/33bf9345b5efc6d43600e60f2a7b2a71cd9abdb5/libnetwork/pasta/pasta_linux.go#L164
    #[doc(hidden)]
    pub fn to_cmdline(pasta: &Self, child: Pid) -> Vec<String> {
        let mut no_map_gw = true;
        let mut no_tcp_ports = true;
        let mut no_udp_ports = true;
        let mut no_tcp_ns_ports = true;
        let mut no_udp_ns_ports = true;

        let mut cmdline = vec![];
        cmdline.push(pasta.prog.clone());
        cmdline.push("--config-net".to_string());

        let mut args = vec![];
        for arg in pasta.args.iter() {
            match arg.as_ref() {
                "--map-gw" => {
                    no_map_gw = false;
                    continue;
                }
                "-t" | "--tcp-ports" => no_tcp_ports = false,
                "-u" | "--udp-ports" => no_udp_ports = false,
                "-T" | "--tcp-ns" => no_tcp_ns_ports = false,
                "-U" | "--udp-ns" => no_udp_ns_ports = false,
                _ => {}
            };
            args.push(arg.to_string());
        }

        if no_map_gw {
            cmdline.push("--no-map-gw".to_string());
        }
        if no_tcp_ports {
            cmdline.push("--tcp-ports".to_string());
            cmdline.push("none".to_string());
        }
        if no_udp_ports {
            cmdline.push("--udp-ports".to_string());
            cmdline.push("none".to_string());
        }
        if no_tcp_ns_ports {
            cmdline.push("--tcp-ns".to_string());
            cmdline.push("none".to_string());
        }
        if no_udp_ns_ports {
            cmdline.push("--udp-ns".to_string());
            cmdline.push("none".to_string());
        }
        cmdline.append(&mut args);
        cmdline.push(format!("{child}"));
        cmdline
    }
}