sandbox: record whether sb is using host network

We need to record whether the sandbox is using hostnetwok because the
kubelet needs that information when computing pod changes. Without this
patch it could happen that a pod that's using host network is restarted
just because the sandbox's status isn't reporting that it's running
using host network.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

lib/container_server.go

@@ -340,6 +340,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 
 	privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime])
 	trusted := isTrue(m.Annotations[annotations.TrustedSandbox])
+	hostNetwork := isTrue(m.Annotations[annotations.HostNetwork])
 
 	sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], portMappings)
 	if err != nil {
@@ -348,6 +349,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 	sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
 	sb.AddIP(ip)
 	sb.SetSeccompProfilePath(spp)
+	sb.SetHostNetwork(hostNetwork)
 
 	// We add a netNS only if we can load a permanent one.
 	// Otherwise, the sandbox will live in the host namespace.

lib/sandbox/sandbox.go

@@ -160,6 +160,7 @@ type Sandbox struct {
 	ip                 string
 	seccompProfilePath string
 	created            time.Time
+	hostNetwork        bool
 }
 
 const (
@@ -224,6 +225,16 @@ func (s *Sandbox) AddIP(ip string) {
 	s.ip = ip
 }
 
+// SetHostNetwork sets whether the pod is running using host network
+func (s *Sandbox) SetHostNetwork(hn bool) {
+	s.hostNetwork = hn
+}
+
+// HostNetwork returns whether the pod is using host network
+func (s *Sandbox) HostNetwork() bool {
+	return s.hostNetwork
+}
+
 // IP returns the ip of the sandbox
 func (s *Sandbox) IP() string {
 	return s.ip

pkg/annotations/annotations.go

@@ -25,6 +25,9 @@ const (
 	// IP is the container ipv4 or ipv6 address
 	IP = "io.kubernetes.cri-o.IP"
 
+	// HostNetwork tells whether the sandbox is using hostnetwork
+	HostNetwork = "io.kubernetes.cri-o.HostNetwork"
+
 	// SeccompProfilePath is the node seccomp profile path
 	SeccompProfilePath = "io.kubernetes.cri-o.SeccompProfilePath"
 

server/sandbox_run.go

@@ -353,6 +353,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted))
 	g.AddAnnotation(annotations.ResolvPath, resolvPath)
 	g.AddAnnotation(annotations.HostName, hostname)
+	g.AddAnnotation(annotations.HostNetwork, fmt.Sprintf("%v", hostNetwork))
 	g.AddAnnotation(annotations.KubeName, kubeName)
 	if podContainer.Config.Config.StopSignal != "" {
 		// this key is defined in image-spec conversion document at https://github.com/opencontainers/image-spec/pull/492/files#diff-8aafbe2c3690162540381b8cdb157112R57
@@ -528,6 +529,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	g.AddAnnotation(annotations.IP, ip)
 	sb.AddIP(ip)
+	sb.SetHostNetwork(hostNetwork)
 
 	spp := req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath()
 	g.AddAnnotation(annotations.SeccompProfilePath, spp)

server/sandbox_status.go

@@ -31,6 +31,14 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
 		rStatus = pb.PodSandboxState_SANDBOX_READY
 	}
 
+	linux := &pb.LinuxPodSandboxStatus{
+		Namespaces: &pb.Namespace{
+			Options: &pb.NamespaceOption{
+				HostNetwork: sb.HostNetwork(),
+			},
+		},
+	}
+
 	sandboxID := sb.ID()
 	resp = &pb.PodSandboxStatusResponse{
 		Status: &pb.PodSandboxStatus{
@@ -41,6 +49,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
 			Labels:      sb.Labels(),
 			Annotations: sb.Annotations(),
 			Metadata:    sb.Metadata(),
+			Linux:       linux,
 		},
 	}