Merge pull request #1328 from runcom/record-hostnetwork-snb

sandbox: record whether sb is using host network

lib/container_server.go

@@ -340,6 +340,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 
 	privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime])
 	trusted := isTrue(m.Annotations[annotations.TrustedSandbox])
+	hostNetwork := isTrue(m.Annotations[annotations.HostNetwork])
 
 	sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], portMappings)
 	if err != nil {
@@ -348,6 +349,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
 	sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
 	sb.AddIP(ip)
 	sb.SetSeccompProfilePath(spp)
+	sb.SetHostNetwork(hostNetwork)
 
 	// We add a netNS only if we can load a permanent one.
 	// Otherwise, the sandbox will live in the host namespace.

lib/sandbox/sandbox.go

@@ -160,6 +160,7 @@ type Sandbox struct {
 	ip                 string
 	seccompProfilePath string
 	created            time.Time
+	hostNetwork        bool
 }
 
 const (
@@ -224,6 +225,16 @@ func (s *Sandbox) AddIP(ip string) {
 	s.ip = ip
 }
 
+// SetHostNetwork sets whether the pod is running using host network
+func (s *Sandbox) SetHostNetwork(hn bool) {
+	s.hostNetwork = hn
+}
+
+// HostNetwork returns whether the pod is using host network
+func (s *Sandbox) HostNetwork() bool {
+	return s.hostNetwork
+}
+
 // IP returns the ip of the sandbox
 func (s *Sandbox) IP() string {
 	return s.ip

pkg/annotations/annotations.go

@@ -25,6 +25,9 @@ const (
 	// IP is the container ipv4 or ipv6 address
 	IP = "io.kubernetes.cri-o.IP"
 
+	// HostNetwork tells whether the sandbox is using hostnetwork
+	HostNetwork = "io.kubernetes.cri-o.HostNetwork"
+
 	// SeccompProfilePath is the node seccomp profile path
 	SeccompProfilePath = "io.kubernetes.cri-o.SeccompProfilePath"
 

server/sandbox_run.go

@@ -353,6 +353,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted))
 	g.AddAnnotation(annotations.ResolvPath, resolvPath)
 	g.AddAnnotation(annotations.HostName, hostname)
+	g.AddAnnotation(annotations.HostNetwork, fmt.Sprintf("%v", hostNetwork))
 	g.AddAnnotation(annotations.KubeName, kubeName)
 	if podContainer.Config.Config.StopSignal != "" {
 		// this key is defined in image-spec conversion document at https://github.com/opencontainers/image-spec/pull/492/files#diff-8aafbe2c3690162540381b8cdb157112R57
@@ -528,6 +529,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	g.AddAnnotation(annotations.IP, ip)
 	sb.AddIP(ip)
+	sb.SetHostNetwork(hostNetwork)
 
 	spp := req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath()
 	g.AddAnnotation(annotations.SeccompProfilePath, spp)

server/sandbox_status.go

@@ -31,6 +31,14 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
 		rStatus = pb.PodSandboxState_SANDBOX_READY
 	}
 
+	linux := &pb.LinuxPodSandboxStatus{
+		Namespaces: &pb.Namespace{
+			Options: &pb.NamespaceOption{
+				HostNetwork: sb.HostNetwork(),
+			},
+		},
+	}
+
 	sandboxID := sb.ID()
 	resp = &pb.PodSandboxStatusResponse{
 		Status: &pb.PodSandboxStatus{
@@ -41,6 +49,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
 			Labels:      sb.Labels(),
 			Annotations: sb.Annotations(),
 			Metadata:    sb.Metadata(),
+			Linux:       linux,
 		},
 	}