diff --git a/smoketest/scripts/cli/test_container.py b/smoketest/scripts/cli/test_container.py
index 5d574ab7d..51559a7c6 100755
--- a/smoketest/scripts/cli/test_container.py
+++ b/smoketest/scripts/cli/test_container.py
@@ -1,299 +1,309 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
import glob
import json
from base_vyostest_shim import VyOSUnitTestSHIM
from ipaddress import ip_interface
from vyos.configsession import ConfigSessionError
from vyos.utils.process import cmd
from vyos.utils.process import process_named_running
base_path = ['container']
cont_image = 'busybox:stable' # busybox is included in vyos-build
PROCESS_NAME = 'conmon'
PROCESS_PIDFILE = '/run/vyos-container-{0}.service.pid'
busybox_image_path = '/usr/share/vyos/busybox-stable.tar'
def cmd_to_json(command):
c = cmd(command + ' --format=json')
data = json.loads(c)[0]
return data
class TestContainer(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestContainer, cls).setUpClass()
# Load image for smoketest provided in vyos-build
try:
cmd(f'cat {busybox_image_path} | sudo podman load')
except:
cls.skipTest(cls, reason='busybox image not available')
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
@classmethod
def tearDownClass(cls):
super(TestContainer, cls).tearDownClass()
# Cleanup podman image
cmd(f'sudo podman image rm -f {cont_image}')
def tearDown(self):
self.cli_delete(base_path)
self.cli_commit()
# Ensure no container process remains
self.assertIsNone(process_named_running(PROCESS_NAME))
# Ensure systemd units are removed
units = glob.glob('/run/systemd/system/vyos-container-*')
self.assertEqual(units, [])
def test_basic(self):
cont_name = 'c1'
self.cli_set(['interfaces', 'ethernet', 'eth0', 'address', '10.0.2.15/24'])
self.cli_set(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop', '10.0.2.2'])
self.cli_set(['system', 'name-server', '1.1.1.1'])
self.cli_set(['system', 'name-server', '8.8.8.8'])
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'sysctl', 'parameter', 'kernel.msgmax', 'value', '4096'])
# commit changes
self.cli_commit()
pid = 0
with open(PROCESS_PIDFILE.format(cont_name), 'r') as f:
pid = int(f.read())
# Check for running process
self.assertEqual(process_named_running(PROCESS_NAME), pid)
# verify
tmp = cmd(f'sudo podman exec -it {cont_name} sysctl kernel.msgmax')
self.assertEqual(tmp, 'kernel.msgmax = 4096')
def test_name_server(self):
cont_name = 'dns-test'
+ net_name = 'net-test'
name_server = '192.168.0.1'
- self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
+ prefix = '192.0.2.0/24'
+
+ self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
+
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'name-server', name_server])
+ self.cli_set(base_path + ['name', cont_name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])
+ # verify() - name server has no effect when container network has dns enabled
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+
+ self.cli_set(base_path + ['network', net_name, 'no-name-server'])
self.cli_commit()
n = cmd_to_json(f'sudo podman inspect {cont_name}')
self.assertEqual(n['HostConfig']['Dns'][0], name_server)
tmp = cmd(f'sudo podman exec -it {cont_name} cat /etc/resolv.conf')
self.assertIn(name_server, tmp)
def test_cpu_limit(self):
cont_name = 'c2'
self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'cpu-quota', '1.25'])
self.cli_commit()
pid = 0
with open(PROCESS_PIDFILE.format(cont_name), 'r') as f:
pid = int(f.read())
# Check for running process
self.assertEqual(process_named_running(PROCESS_NAME), pid)
def test_ipv4_network(self):
prefix = '192.0.2.0/24'
base_name = 'ipv4'
net_name = 'NET01'
self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])
# verify() - first IP address of a prefix can not be used by a container
with self.assertRaises(ConfigSessionError):
self.cli_commit()
tmp = f'{base_name}-1'
self.cli_delete(base_path + ['name', tmp])
self.cli_commit()
n = cmd_to_json(f'sudo podman network inspect {net_name}')
self.assertEqual(n['subnets'][0]['subnet'], prefix)
# skipt first container, it was never created
for ii in range(2, 6):
name = f'{base_name}-{ii}'
c = cmd_to_json(f'sudo podman container inspect {name}')
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway'] , str(ip_interface(prefix).ip + 1))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress'], str(ip_interface(prefix).ip + ii))
def test_ipv6_network(self):
prefix = '2001:db8::/64'
base_name = 'ipv6'
net_name = 'NET02'
self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])
# verify() - first IP address of a prefix can not be used by a container
with self.assertRaises(ConfigSessionError):
self.cli_commit()
tmp = f'{base_name}-1'
self.cli_delete(base_path + ['name', tmp])
self.cli_commit()
n = cmd_to_json(f'sudo podman network inspect {net_name}')
self.assertEqual(n['subnets'][0]['subnet'], prefix)
# skipt first container, it was never created
for ii in range(2, 6):
name = f'{base_name}-{ii}'
c = cmd_to_json(f'sudo podman container inspect {name}')
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPv6Gateway'] , str(ip_interface(prefix).ip + 1))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['GlobalIPv6Address'], str(ip_interface(prefix).ip + ii))
def test_dual_stack_network(self):
prefix4 = '192.0.2.0/24'
prefix6 = '2001:db8::/64'
base_name = 'dual-stack'
net_name = 'net-4-6'
self.cli_set(base_path + ['network', net_name, 'prefix', prefix4])
self.cli_set(base_path + ['network', net_name, 'prefix', prefix6])
for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix4).ip + ii)])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix6).ip + ii)])
# verify() - first IP address of a prefix can not be used by a container
with self.assertRaises(ConfigSessionError):
self.cli_commit()
tmp = f'{base_name}-1'
self.cli_delete(base_path + ['name', tmp])
self.cli_commit()
n = cmd_to_json(f'sudo podman network inspect {net_name}')
self.assertEqual(n['subnets'][0]['subnet'], prefix4)
self.assertEqual(n['subnets'][1]['subnet'], prefix6)
# skipt first container, it was never created
for ii in range(2, 6):
name = f'{base_name}-{ii}'
c = cmd_to_json(f'sudo podman container inspect {name}')
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPv6Gateway'] , str(ip_interface(prefix6).ip + 1))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['GlobalIPv6Address'], str(ip_interface(prefix6).ip + ii))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway'] , str(ip_interface(prefix4).ip + 1))
self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress'] , str(ip_interface(prefix4).ip + ii))
def test_no_name_server(self):
prefix = '192.0.2.0/24'
base_name = 'ipv4'
net_name = 'NET01'
self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
self.cli_set(base_path + ['network', net_name, 'no-name-server'])
name = f'{base_name}-2'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])
self.cli_commit()
n = cmd_to_json(f'sudo podman network inspect {net_name}')
self.assertEqual(n['dns_enabled'], False)
def test_network_mtu(self):
prefix = '192.0.2.0/24'
base_name = 'ipv4'
net_name = 'NET01'
self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
self.cli_set(base_path + ['network', net_name, 'mtu', '1280'])
name = f'{base_name}-2'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])
self.cli_commit()
n = cmd_to_json(f'sudo podman network inspect {net_name}')
self.assertEqual(n['options']['mtu'], '1280')
def test_uid_gid(self):
cont_name = 'uid-test'
gid = '100'
uid = '1001'
self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'gid', gid])
# verify() - GID can only be set if UID is set
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_set(base_path + ['name', cont_name, 'uid', uid])
self.cli_commit()
# verify
tmp = cmd(f'sudo podman exec -it {cont_name} id -u')
self.assertEqual(tmp, uid)
tmp = cmd(f'sudo podman exec -it {cont_name} id -g')
self.assertEqual(tmp, gid)
def test_api_socket(self):
base_name = 'api-test'
container_list = range(1, 5)
for ii in container_list:
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'allow-host-networks'])
self.cli_commit()
# Query API about running containers
tmp = cmd("sudo curl --unix-socket /run/podman/podman.sock -H 'content-type: application/json' -sf http://localhost/containers/json")
tmp = json.loads(tmp)
# We expect the same amount of containers from the API that we started above
self.assertEqual(len(container_list), len(tmp))
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 4d3962029..594de3eb0 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -1,536 +1,539 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from decimal import Decimal
from hashlib import sha256
from ipaddress import ip_address
from ipaddress import ip_network
from json import dumps as json_write
from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import node_changed
from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.ifconfig import Interface
from vyos.utils.cpu import get_core_count
from vyos.utils.file import write_file
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.process import run
from vyos.utils.network import interface_exists
from vyos.template import bracketize_ipv6
from vyos.template import inc_ip
from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.template import render
from vyos.xml_ref import default_value
from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_containers = '/etc/containers/containers.conf'
config_registry = '/etc/containers/registries.conf'
config_storage = '/etc/containers/storage.conf'
systemd_unit_path = '/run/systemd/system'
def _cmd(command):
if os.path.exists('/tmp/vyos.container.debug'):
print(command)
return cmd(command)
def network_exists(name):
# Check explicit name for network, returns True if network exists
c = _cmd(f'podman network ls --quiet --filter name=^{name}$')
return bool(c)
# Common functions
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['container']
container = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True,
with_recursive_defaults=True)
for name in container.get('name', []):
# T5047: Any container related configuration changed? We only
# wan't to restart the required containers and not all of them ...
tmp = is_node_changed(conf, base + ['name', name])
if tmp:
if 'container_restart' not in container:
container['container_restart'] = [name]
else:
container['container_restart'].append(name)
# registry is a tagNode with default values - merge the list from
# default_values['registry'] into the tagNode variables
if 'registry' not in container:
container.update({'registry': {}})
default_values = default_value(base + ['registry'])
for registry in default_values:
tmp = {registry: {}}
container['registry'] = dict_merge(tmp, container['registry'])
# Delete container network, delete containers
tmp = node_changed(conf, base + ['network'])
if tmp: container.update({'network_remove': tmp})
tmp = node_changed(conf, base + ['name'])
if tmp: container.update({'container_remove': tmp})
return container
def verify(container):
# bail out early - looks like removal from running config
if not container:
return None
# Add new container
if 'name' in container:
for name, container_config in container['name'].items():
# Container image is a mandatory option
if 'image' not in container_config:
raise ConfigError(f'Container image for "{name}" is mandatory!')
# Check if requested container image exists locally. If it does not
# exist locally - inform the user. This is required as there is a
# shared container image storage accross all VyOS images. A user can
# delete a container image from the system, boot into another version
# of VyOS and then it would fail to boot. This is to prevent any
# configuration error when container images are deleted from the
# global storage. A per image local storage would be a super waste
# of diskspace as there will be a full copy (up tu several GB/image)
# on upgrade. This is the "cheapest" and fastest solution in terms
# of image upgrade and deletion.
image = container_config['image']
if run(f'podman image exists {image}') != 0:
Warning(f'Image "{image}" used in container "{name}" does not exist ' \
f'locally. Please use "add container image {image}" to add it ' \
f'to the system! Container "{name}" will not be started!')
if 'cpu_quota' in container_config:
cores = get_core_count()
if Decimal(container_config['cpu_quota']) > cores:
raise ConfigError(f'Cannot set limit to more cores than available "{name}"!')
if 'network' in container_config:
if len(container_config['network']) > 1:
raise ConfigError(f'Only one network can be specified for container "{name}"!')
# Check if the specified container network exists
network_name = list(container_config['network'])[0]
if network_name not in container.get('network', {}):
raise ConfigError(f'Container network "{network_name}" does not exist!')
+ if 'name_server' in container_config and 'no_name_server' not in container['network'][network_name]:
+ raise ConfigError(f'Setting name server has no effect when attached container network has DNS enabled!')
+
if 'address' in container_config['network'][network_name]:
cnt_ipv4 = 0
cnt_ipv6 = 0
for address in container_config['network'][network_name]['address']:
network = None
if is_ipv4(address):
try:
network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0]
cnt_ipv4 += 1
except:
raise ConfigError(f'Network "{network_name}" does not contain an IPv4 prefix!')
elif is_ipv6(address):
try:
network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0]
cnt_ipv6 += 1
except:
raise ConfigError(f'Network "{network_name}" does not contain an IPv6 prefix!')
# Specified container IP address must belong to network prefix
if ip_address(address) not in ip_network(network):
raise ConfigError(f'Used container address "{address}" not in network "{network}"!')
# We can not use the first IP address of a network prefix as this is used by podman
if ip_address(address) == ip_network(network)[1]:
raise ConfigError(f'IP address "{address}" can not be used for a container, ' \
'reserved for the container engine!')
if cnt_ipv4 > 1 or cnt_ipv6 > 1:
raise ConfigError(f'Only one IP address per address family can be used for ' \
f'container "{name}". {cnt_ipv4} IPv4 and {cnt_ipv6} IPv6 address(es)!')
if 'device' in container_config:
for dev, dev_config in container_config['device'].items():
if 'source' not in dev_config:
raise ConfigError(f'Device "{dev}" has no source path configured!')
if 'destination' not in dev_config:
raise ConfigError(f'Device "{dev}" has no destination path configured!')
source = dev_config['source']
if not os.path.exists(source):
raise ConfigError(f'Device "{dev}" source path "{source}" does not exist!')
if 'sysctl' in container_config and 'parameter' in container_config['sysctl']:
for var, cfg in container_config['sysctl']['parameter'].items():
if 'value' not in cfg:
raise ConfigError(f'sysctl parameter {var} has no value assigned!')
if var.startswith('net.') and 'allow_host_networks' in container_config:
raise ConfigError(f'sysctl parameter {var} cannot be set when using host networking!')
if 'environment' in container_config:
for var, cfg in container_config['environment'].items():
if 'value' not in cfg:
raise ConfigError(f'Environment variable {var} has no value assigned!')
if 'label' in container_config:
for var, cfg in container_config['label'].items():
if 'value' not in cfg:
raise ConfigError(f'Label variable {var} has no value assigned!')
if 'volume' in container_config:
for volume, volume_config in container_config['volume'].items():
if 'source' not in volume_config:
raise ConfigError(f'Volume "{volume}" has no source path configured!')
if 'destination' not in volume_config:
raise ConfigError(f'Volume "{volume}" has no destination path configured!')
source = volume_config['source']
if not os.path.exists(source):
raise ConfigError(f'Volume "{volume}" source path "{source}" does not exist!')
if 'port' in container_config:
for tmp in container_config['port']:
if not {'source', 'destination'} <= set(container_config['port'][tmp]):
raise ConfigError(f'Both "source" and "destination" must be specified for a port mapping!')
# If 'allow-host-networks' or 'network' not set.
if 'allow_host_networks' not in container_config and 'network' not in container_config:
raise ConfigError(f'Must either set "network" or "allow-host-networks" for container "{name}"!')
# Can not set both allow-host-networks and network at the same time
if {'allow_host_networks', 'network'} <= set(container_config):
raise ConfigError(
f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!')
# gid cannot be set without uid
if 'gid' in container_config and 'uid' not in container_config:
raise ConfigError(f'Cannot set "gid" without "uid" for container')
# Add new network
if 'network' in container:
for network, network_config in container['network'].items():
v4_prefix = 0
v6_prefix = 0
# If ipv4-prefix not defined for user-defined network
if 'prefix' not in network_config:
raise ConfigError(f'prefix for network "{network}" must be defined!')
for prefix in network_config['prefix']:
if is_ipv4(prefix):
v4_prefix += 1
elif is_ipv6(prefix):
v6_prefix += 1
if v4_prefix > 1:
raise ConfigError(f'Only one IPv4 prefix can be defined for network "{network}"!')
if v6_prefix > 1:
raise ConfigError(f'Only one IPv6 prefix can be defined for network "{network}"!')
# Verify VRF exists
verify_vrf(network_config)
# A network attached to a container can not be deleted
if {'network_remove', 'name'} <= set(container):
for network in container['network_remove']:
for c, c_config in container['name'].items():
if 'network' in c_config and network in c_config['network']:
raise ConfigError(f'Can not remove network "{network}", used by container "{c}"!')
if 'registry' in container:
for registry, registry_config in container['registry'].items():
if 'authentication' not in registry_config:
continue
if not {'username', 'password'} <= set(registry_config['authentication']):
raise ConfigError('Container registry requires both username and password to be set!')
return None
def generate_run_arguments(name, container_config):
image = container_config['image']
cpu_quota = container_config['cpu_quota']
memory = container_config['memory']
shared_memory = container_config['shared_memory']
restart = container_config['restart']
# Add sysctl options
sysctl_opt = ''
if 'sysctl' in container_config and 'parameter' in container_config['sysctl']:
for k, v in container_config['sysctl']['parameter'].items():
sysctl_opt += f" --sysctl {k}={v['value']}"
# Add capability options. Should be in uppercase
capabilities = ''
if 'capability' in container_config:
for cap in container_config['capability']:
cap = cap.upper().replace('-', '_')
capabilities += f' --cap-add={cap}'
# Add a host device to the container /dev/x:/dev/x
device = ''
if 'device' in container_config:
for dev, dev_config in container_config['device'].items():
source_dev = dev_config['source']
dest_dev = dev_config['destination']
device += f' --device={source_dev}:{dest_dev}'
# Check/set environment options "-e foo=bar"
env_opt = ''
if 'environment' in container_config:
for k, v in container_config['environment'].items():
env_opt += f" --env \"{k}={v['value']}\""
# Check/set label options "--label foo=bar"
label = ''
if 'label' in container_config:
for k, v in container_config['label'].items():
label += f" --label \"{k}={v['value']}\""
hostname = ''
if 'host_name' in container_config:
hostname = container_config['host_name']
hostname = f'--hostname {hostname}'
# Publish ports
port = ''
if 'port' in container_config:
protocol = ''
for portmap in container_config['port']:
protocol = container_config['port'][portmap]['protocol']
sport = container_config['port'][portmap]['source']
dport = container_config['port'][portmap]['destination']
listen_addresses = container_config['port'][portmap].get('listen_address', [])
# If listen_addresses is not empty, include them in the publish command
if listen_addresses:
for listen_address in listen_addresses:
port += f' --publish {bracketize_ipv6(listen_address)}:{sport}:{dport}/{protocol}'
else:
# If listen_addresses is empty, just include the standard publish command
port += f' --publish {sport}:{dport}/{protocol}'
# Set uid and gid
uid = ''
if 'uid' in container_config:
uid = container_config['uid']
if 'gid' in container_config:
uid += ':' + container_config['gid']
uid = f'--user {uid}'
# Bind volume
volume = ''
if 'volume' in container_config:
for vol, vol_config in container_config['volume'].items():
svol = vol_config['source']
dvol = vol_config['destination']
mode = vol_config['mode']
prop = vol_config['propagation']
volume += f' --volume {svol}:{dvol}:{mode},{prop}'
host_pid = ''
if 'allow_host_pid' in container_config:
host_pid = '--pid host'
name_server = ''
if 'name_server' in container_config:
for ns in container_config['name_server']:
name_server += f'--dns {ns}'
container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} {sysctl_opt} ' \
f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
f'--name {name} {hostname} {device} {port} {name_server} {volume} {env_opt} {label} {uid} {host_pid}'
entrypoint = ''
if 'entrypoint' in container_config:
# it needs to be json-formatted with single quote on the outside
entrypoint = json_write(container_config['entrypoint'].split()).replace('"', """)
entrypoint = f'--entrypoint '{entrypoint}''
command = ''
if 'command' in container_config:
command = container_config['command'].strip()
command_arguments = ''
if 'arguments' in container_config:
command_arguments = container_config['arguments'].strip()
if 'allow_host_networks' in container_config:
return f'{container_base_cmd} --net host {entrypoint} {image} {command} {command_arguments}'.strip()
ip_param = ''
networks = ",".join(container_config['network'])
for network in container_config['network']:
if 'address' not in container_config['network'][network]:
continue
for address in container_config['network'][network]['address']:
if is_ipv6(address):
ip_param += f' --ip6 {address}'
else:
ip_param += f' --ip {address}'
return f'{container_base_cmd} --no-healthcheck --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip()
def generate(container):
# bail out early - looks like removal from running config
if not container:
for file in [config_containers, config_registry, config_storage]:
if os.path.exists(file):
os.unlink(file)
return None
if 'network' in container:
for network, network_config in container['network'].items():
tmp = {
'name': network,
'id': sha256(f'{network}'.encode()).hexdigest(),
'driver': 'bridge',
'network_interface': f'pod-{network}',
'subnets': [],
'ipv6_enabled': False,
'internal': False,
'dns_enabled': True,
'ipam_options': {
'driver': 'host-local'
},
'options': {
'mtu': '1500'
}
}
if 'no_name_server' in network_config:
tmp['dns_enabled'] = False
if 'mtu' in network_config:
tmp['options']['mtu'] = network_config['mtu']
for prefix in network_config['prefix']:
net = {'subnet': prefix, 'gateway': inc_ip(prefix, 1)}
tmp['subnets'].append(net)
if is_ipv6(prefix):
tmp['ipv6_enabled'] = True
write_file(f'/etc/containers/networks/{network}.json', json_write(tmp, indent=2))
render(config_containers, 'container/containers.conf.j2', container)
render(config_registry, 'container/registries.conf.j2', container)
render(config_storage, 'container/storage.conf.j2', container)
if 'name' in container:
for name, container_config in container['name'].items():
if 'disable' in container_config:
continue
file_path = os.path.join(systemd_unit_path, f'vyos-container-{name}.service')
run_args = generate_run_arguments(name, container_config)
render(file_path, 'container/systemd-unit.j2', {'name': name, 'run_args': run_args, },
formater=lambda _: _.replace(""", '"').replace("'", "'"))
return None
def apply(container):
# Delete old containers if needed. We can't delete running container
# Option "--force" allows to delete containers with any status
if 'container_remove' in container:
for name in container['container_remove']:
file_path = os.path.join(systemd_unit_path, f'vyos-container-{name}.service')
call(f'systemctl stop vyos-container-{name}.service')
if os.path.exists(file_path):
os.unlink(file_path)
call('systemctl daemon-reload')
# Delete old networks if needed
if 'network_remove' in container:
for network in container['network_remove']:
call(f'podman network rm {network} >/dev/null 2>&1')
# Add container
disabled_new = False
if 'name' in container:
for name, container_config in container['name'].items():
image = container_config['image']
if run(f'podman image exists {image}') != 0:
# container image does not exist locally - user already got
# informed by a WARNING in verfiy() - bail out early
continue
if 'disable' in container_config:
# check if there is a container by that name running
tmp = _cmd('podman ps -a --format "{{.Names}}"')
if name in tmp:
file_path = os.path.join(systemd_unit_path, f'vyos-container-{name}.service')
call(f'systemctl stop vyos-container-{name}.service')
if os.path.exists(file_path):
disabled_new = True
os.unlink(file_path)
continue
if 'container_restart' in container and name in container['container_restart']:
cmd(f'systemctl restart vyos-container-{name}.service')
if disabled_new:
call('systemctl daemon-reload')
# Start network and assign it to given VRF if requested. this can only be done
# after the containers got started as the podman network interface will
# only be enabled by the first container and yet I do not know how to enable
# the network interface in advance
if 'network' in container:
for network, network_config in container['network'].items():
network_name = f'pod-{network}'
# T5147: Networks are started only as soon as there is a consumer.
# If only a network is created in the first place, no need to assign
# it to a VRF as there's no consumer, yet.
if interface_exists(network_name):
tmp = Interface(network_name)
tmp.set_vrf(network_config.get('vrf', ''))
tmp.add_ipv6_eui64_address('fe80::/64')
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)