api,adaptation,generate: allow adjusting linux net devices

.golangci.yml

@@ -38,6 +38,12 @@ linters:
       - linters:
           - staticcheck
         text: "QF1008:"
+      # Ignore deprecation errors related to us haveing adjustment support for
+      # obsoleted Prestart OCI hook and kernel memory limit.
+      - path: 'pkg/api/hooks.go'
+        linters:
+          - staticcheck
+        text: "is deprecated"
 
 formatters:
   enable:

examples/go.mod

@@ -5,7 +5,7 @@ go 1.24.0
 require (
 	github.com/containerd/cgroups v1.0.3
 	github.com/containerd/nri v0.1.0
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67
 	github.com/sirupsen/logrus v1.9.3
 )
 

examples/go.sum

@@ -24,8 +24,8 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/onsi/ginkgo/v2 v2.19.1
 	github.com/onsi/gomega v1.34.0
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67
 	github.com/opencontainers/runtime-tools v0.9.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4

go.sum

@@ -43,8 +43,8 @@ github.com/onsi/ginkgo/v2 v2.19.1/go.mod h1:O3DtEWQkPa/F7fBMgmZQKKsluAy8pd3rEQdr
 github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os=
 github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20221026201742-946c877fa809 h1:WSwkWIIS4s+E/dPF6HuVZ/hnq1WfXN371eESjREnU8k=
 github.com/opencontainers/runtime-tools v0.0.0-20221026201742-946c877fa809/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y=

pkg/adaptation/adaptation_suite_test.go

@@ -532,6 +532,17 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				Class: api.IOPrioClass_IOPRIO_CLASS_NONE,
 			})
 
+		case "linux net device":
+			if overwrite {
+				a.RemoveLinuxNetDevice("hostIf")
+			}
+			a.AddLinuxNetDevice(
+				"hostIf",
+				&api.LinuxNetDevice{
+					Name: "containerIf",
+				},
+			)
+
 		case "resources/cpu":
 			a.SetLinuxCPUShares(123)
 			a.SetLinuxCPUQuota(456)
@@ -777,6 +788,19 @@ var _ = Describe("Plugin container creation adjustments", func() {
 					},
 				},
 			),
+
+			Entry("adjust linux net devices", "linux net device",
+				&api.ContainerAdjustment{
+					Linux: &api.LinuxContainerAdjustment{
+						NetDevices: map[string]*api.LinuxNetDevice{
+							"hostIf": {
+								Name: "containerIf",
+							},
+						},
+					},
+				},
+			),
+
 			Entry("clear I/O priority", "clear I/O priority",
 				&api.ContainerAdjustment{
 					Linux: &api.LinuxContainerAdjustment{
@@ -1045,7 +1069,21 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				},
 			),
 			Entry("adjust resources", "resources/classes", false, true, nil),
+
 			Entry("adjust I/O priority (conflicts)", "I/O priority", false, true, nil),
+			Entry("adjust linux net devices", "linux net device", true, false,
+				&api.ContainerAdjustment{
+					Linux: &api.LinuxContainerAdjustment{
+						NetDevices: map[string]*api.LinuxNetDevice{
+							"-hostIf": nil,
+							"hostIf": {
+								Name: "containerIf",
+							},
+						},
+					},
+				},
+			),
+			Entry("adjust linux net devices (conflicts)", "linux net device", false, true, nil),
 		)
 	})
 

pkg/adaptation/api.go

@@ -92,6 +92,7 @@ type (
 	LinuxDeviceCgroup        = api.LinuxDeviceCgroup
 	LinuxIOPriority          = api.LinuxIOPriority
 	LinuxSeccomp             = api.LinuxSeccomp
+	LinuxNetDevice           = api.LinuxNetDevice
 	CDIDevice                = api.CDIDevice
 	HugepageLimit            = api.HugepageLimit
 	Hooks                    = api.Hooks

pkg/adaptation/result.go

@@ -82,6 +82,9 @@ func collectCreateContainerResult(request *CreateContainerRequest) *result {
 	if request.Container.Linux.Namespaces == nil {
 		request.Container.Linux.Namespaces = []*LinuxNamespace{}
 	}
+	if request.Container.Linux.NetDevices == nil {
+		request.Container.Linux.NetDevices = map[string]*LinuxNetDevice{}
+	}
 
 	return &result{
 		request: resultRequest{
@@ -104,6 +107,7 @@ func collectCreateContainerResult(request *CreateContainerRequest) *result {
 						Unified:        map[string]string{},
 					},
 					Namespaces: []*LinuxNamespace{},
+					NetDevices: map[string]*LinuxNetDevice{},
 				},
 			},
 		},
@@ -235,6 +239,9 @@ func (r *result) adjust(rpl *ContainerAdjustment, plugin string) error {
 		if err := r.adjustNamespaces(rpl.Linux.Namespaces, plugin); err != nil {
 			return err
 		}
+		if err := r.adjustLinuxNetDevices(rpl.Linux.NetDevices, plugin); err != nil {
+			return err
+		}
 	}
 	if err := r.adjustRlimits(rpl.Rlimits, plugin); err != nil {
 		return err
@@ -922,6 +929,41 @@ func (r *result) adjustRlimits(rlimits []*POSIXRlimit, plugin string) error {
 	return nil
 }
 
+func (r *result) adjustLinuxNetDevices(devices map[string]*LinuxNetDevice, plugin string) error {
+	if len(devices) == 0 {
+		return nil
+	}
+
+	create, id := r.request.create, r.request.create.Container.Id
+	del := map[string]struct{}{}
+	for k := range devices {
+		if key, marked := IsMarkedForRemoval(k); marked {
+			del[key] = struct{}{}
+			delete(devices, k)
+		}
+	}
+
+	for k, v := range devices {
+		if _, ok := del[k]; ok {
+			r.owners.ClearLinuxNetDevice(id, k, plugin)
+			delete(create.Container.Linux.NetDevices, k)
+			r.reply.adjust.Linux.NetDevices[MarkForRemoval(k)] = nil
+		}
+		if err := r.owners.ClaimLinuxNetDevice(id, k, plugin); err != nil {
+			return err
+		}
+		create.Container.Linux.NetDevices[k] = v
+		r.reply.adjust.Linux.NetDevices[k] = v
+		delete(del, k)
+	}
+
+	for k := range del {
+		r.reply.adjust.Linux.NetDevices[MarkForRemoval(k)] = nil
+	}
+
+	return nil
+}
+
 func (r *result) updateResources(reply, u *ContainerUpdate, plugin string) error {
 	if u.Linux == nil || u.Linux.Resources == nil {
 		return nil

pkg/api/adjustment.go

@@ -162,6 +162,24 @@ func (a *ContainerAdjustment) RemoveNamespace(n *LinuxNamespace) {
 	})
 }
 
+// AddLinuxNetDevice records the addition of the given network device to a container.
+func (a *ContainerAdjustment) AddLinuxNetDevice(hostDev string, d *LinuxNetDevice) {
+	if d == nil {
+		return
+	}
+	a.initLinuxNetDevices()
+	a.Linux.NetDevices[hostDev] = d
+}
+
+// RemoveLinuxNetDevice records the removal of a network device from a container.
+// Normally it is an error for a plugin to try and alter a network device
+// touched by another container. However, this is not an error if
+// the plugin removes that device prior to touching it.
+func (a *ContainerAdjustment) RemoveLinuxNetDevice(hostDev string) {
+	a.initLinuxNetDevices()
+	a.Linux.NetDevices[MarkForRemoval(hostDev)] = nil
+}
+
 // SetLinuxMemoryLimit records setting the memory limit for a container.
 func (a *ContainerAdjustment) SetLinuxMemoryLimit(value int64) {
 	a.initLinuxResourcesMemory()
@@ -379,3 +397,10 @@ func (a *ContainerAdjustment) initLinuxResourcesUnified() {
 		a.Linux.Resources.Unified = make(map[string]string)
 	}
 }
+
+func (a *ContainerAdjustment) initLinuxNetDevices() {
+	a.initLinux()
+	if a.Linux.NetDevices == nil {
+		a.Linux.NetDevices = make(map[string]*LinuxNetDevice)
+	}
+}