Merge pull request #2916 from AkihiroSuda/bypass4netns-disable-bind

bypass4netns: allow disabling bind

pkg/annotations/annotations.go

@@ -29,10 +29,16 @@ const (
 	// Bypass4netnsIgnoreSubnets is a JSON of []string that is appended to
 	// the `bypass4netns --ignore` list.
 	Bypass4netnsIgnoreSubnets = Bypass4netns + "-ignore-subnets"
+
+	// Bypass4netnsIgnoreBind disables acceleration for bind.
+	// Boolean value which can be parsed with strconv.ParseBool() is required.
+	Bypass4netnsIgnoreBind = Bypass4netns + "-ignore-bind"
 )
 
 var ShellCompletions = []string{
 	Bypass4netns + "=true",
 	Bypass4netns + "=false",
 	Bypass4netnsIgnoreSubnets + "=",
+	Bypass4netnsIgnoreBind + "=true",
+	Bypass4netnsIgnoreBind + "=false",
 }

pkg/bypass4netnsutil/bypass.go

@@ -35,6 +35,13 @@ func NewBypass4netnsCNIBypassManager(client client.Client, rlkClient rlkclient.C
 	if client == nil || rlkClient == nil {
 		return nil, errdefs.ErrInvalidArgument
 	}
+	enabled, bindEnabled, err := IsBypass4netnsEnabled(annotationsMap)
+	if err != nil {
+		return nil, err
+	}
+	if !enabled {
+		return nil, errdefs.ErrInvalidArgument
+	}
 	var ignoreSubnets []string
 	if v := annotationsMap[annotations.Bypass4netnsIgnoreSubnets]; v != "" {
 		if err := json.Unmarshal([]byte(v), &ignoreSubnets); err != nil {
@@ -45,6 +52,7 @@ func NewBypass4netnsCNIBypassManager(client client.Client, rlkClient rlkclient.C
 		Client:        client,
 		rlkClient:     rlkClient,
 		ignoreSubnets: ignoreSubnets,
+		ignoreBind:    !bindEnabled,
 	}
 	return pm, nil
 }
@@ -53,6 +61,7 @@ type Bypass4netnsCNIBypassManager struct {
 	client.Client
 	rlkClient     rlkclient.Client
 	ignoreSubnets []string
+	ignoreBind    bool
 }
 
 func (b4nnm *Bypass4netnsCNIBypassManager) StartBypass(ctx context.Context, ports []gocni.PortMapping, id, stateDir string) error {
@@ -84,17 +93,20 @@ func (b4nnm *Bypass4netnsCNIBypassManager) StartBypass(ctx context.Context, port
 		LogFilePath: logFilePath,
 		// "auto" can detect CNI CIDRs automatically
 		IgnoreSubnets: append([]string{"127.0.0.0/8", rlkCIDR, "auto"}, b4nnm.ignoreSubnets...),
+		IgnoreBind:    b4nnm.ignoreBind,
 	}
-	portMap := []b4nnapi.PortSpec{}
-	for _, p := range ports {
-		portMap = append(portMap, b4nnapi.PortSpec{
-			ParentIP:   p.HostIP,
-			ParentPort: int(p.HostPort),
-			ChildPort:  int(p.ContainerPort),
-			Protos:     []string{p.Protocol},
-		})
+	if !b4nnm.ignoreBind {
+		portMap := []b4nnapi.PortSpec{}
+		for _, p := range ports {
+			portMap = append(portMap, b4nnapi.PortSpec{
+				ParentIP:   p.HostIP,
+				ParentPort: int(p.HostPort),
+				ChildPort:  int(p.ContainerPort),
+				Protos:     []string{p.Protocol},
+			})
+		}
+		spec.PortMapping = portMap
 	}
-	spec.PortMapping = portMap
 	_, err = b4nnm.BypassManager().StartBypass(ctx, spec)
 	if err != nil {
 		return err

pkg/bypass4netnsutil/bypass4netnsutil.go

@@ -133,15 +133,21 @@ func GetPidFilePathByID(id string) (string, error) {
 	return socketPath, nil
 }
 
-func IsBypass4netnsEnabled(annotationsMap map[string]string) (bool, error) {
+func IsBypass4netnsEnabled(annotationsMap map[string]string) (enabled, bindEnabled bool, err error) {
 	if b4nn, ok := annotationsMap[annotations.Bypass4netns]; ok {
-		b4nnEnable, err := strconv.ParseBool(b4nn)
+		enabled, err = strconv.ParseBool(b4nn)
 		if err != nil {
-			return false, err
+			return
+		}
+		bindEnabled = enabled
+		if s, ok := annotationsMap[annotations.Bypass4netnsIgnoreBind]; ok {
+			var bindDisabled bool
+			bindDisabled, err = strconv.ParseBool(s)
+			if err != nil {
+				return
+			}
+			bindEnabled = !bindDisabled
 		}
-
-		return b4nnEnable, nil
 	}
-
-	return false, nil
+	return
 }

pkg/ocihook/ocihook.go

@@ -202,7 +202,7 @@ func newHandlerOpts(state *specs.State, dataStore, cniPath, cniNetconfPath strin
 		if err != nil {
 			return nil, err
 		}
-		b4nnEnabled, err := bypass4netnsutil.IsBypass4netnsEnabled(o.state.Annotations)
+		b4nnEnabled, _, err := bypass4netnsutil.IsBypass4netnsEnabled(o.state.Annotations)
 		if err != nil {
 			return nil, err
 		}
@@ -438,7 +438,7 @@ func applyNetworkSettings(opts *handlerOpts) error {
 		hsMeta.Networks[cniName] = cniResRaw[i]
 	}
 
-	b4nnEnabled, err := bypass4netnsutil.IsBypass4netnsEnabled(opts.state.Annotations)
+	b4nnEnabled, b4nnBindEnabled, err := bypass4netnsutil.IsBypass4netnsEnabled(opts.state.Annotations)
 	if err != nil {
 		return err
 	}
@@ -457,7 +457,8 @@ func applyNetworkSettings(opts *handlerOpts) error {
 			if err != nil {
 				return fmt.Errorf("bypass4netnsd not running? (Hint: run `containerd-rootless-setuptool.sh install-bypass4netnsd`): %w", err)
 			}
-		} else if len(opts.ports) > 0 {
+		}
+		if !b4nnBindEnabled && len(opts.ports) > 0 {
 			if err := exposePortsRootless(ctx, opts.rootlessKitClient, opts.ports); err != nil {
 				return fmt.Errorf("failed to expose ports in rootless mode: %s", err)
 			}
@@ -487,7 +488,7 @@ func onPostStop(opts *handlerOpts) error {
 	ns := opts.state.Annotations[labels.Namespace]
 	if opts.cni != nil {
 		var err error
-		b4nnEnabled, err := bypass4netnsutil.IsBypass4netnsEnabled(opts.state.Annotations)
+		b4nnEnabled, b4nnBindEnabled, err := bypass4netnsutil.IsBypass4netnsEnabled(opts.state.Annotations)
 		if err != nil {
 			return err
 		}
@@ -501,7 +502,8 @@ func onPostStop(opts *handlerOpts) error {
 				if err != nil {
 					return err
 				}
-			} else if len(opts.ports) > 0 {
+			}
+			if !b4nnBindEnabled && len(opts.ports) > 0 {
 				if err := unexposePortsRootless(ctx, opts.rootlessKitClient, opts.ports); err != nil {
 					return fmt.Errorf("failed to unexpose ports in rootless mode: %s", err)
 				}