Merge pull request #2862 from twz123/moby-libnetwork

Remove docker/libnetwork

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/cloudflare/cfssl v1.6.3
 	github.com/containerd/containerd v1.6.18
 	github.com/denisbrodbeck/machineid v1.0.1
-	github.com/docker/libnetwork v0.8.0-dev.2.0.20201031180254-535ef365dc1d
 	github.com/estesp/manifest-tool/v2 v2.0.6
 	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/fsnotify/fsnotify v1.6.0
@@ -180,7 +179,6 @@ require (
 	github.com/hashicorp/terraform-json v0.15.0 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/ishidawataru/sctp v0.0.0-20210707070123-9a39160e9062 // indirect
 	github.com/jhump/protoreflect v1.10.1 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/jonboulle/clockwork v0.3.0 // indirect

go.sum

@@ -485,8 +485,6 @@ github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libnetwork v0.8.0-dev.2.0.20201031180254-535ef365dc1d h1:ga1XdrLreHm+Q/rfesul80sMd+skKIyQfKT39A7WNew=
-github.com/docker/libnetwork v0.8.0-dev.2.0.20201031180254-535ef365dc1d/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
@@ -900,8 +898,6 @@ github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
-github.com/ishidawataru/sctp v0.0.0-20210707070123-9a39160e9062 h1:G1+wBT0dwjIrBdLy0MIG0i+E4CQxEnedHXdauJEIH6g=
-github.com/ishidawataru/sctp v0.0.0-20210707070123-9a39160e9062/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
 github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=

pkg/component/worker/kubelet.go

@@ -17,13 +17,16 @@ limitations under the License.
 package worker
 
 import (
+	"bufio"
 	"context"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strings"
 
@@ -42,7 +45,6 @@ import (
 	kubeletv1beta1 "k8s.io/kubelet/config/v1beta1"
 	"k8s.io/utils/pointer"
 
-	"github.com/docker/libnetwork/resolvconf"
 	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/yaml"
 )
@@ -155,9 +157,6 @@ func (k *Kubelet) Start(ctx context.Context) error {
 
 	logrus.Info("Starting kubelet")
 	kubeletConfigPath := filepath.Join(k.K0sVars.DataDir, "kubelet-config.yaml")
-	// get the "real" resolv.conf file (in systemd-resolvd bases system,
-	// this will return /run/systemd/resolve/resolv.conf
-	resolvConfPath := resolvconf.Path()
 
 	args := stringmap.StringMap{
 		"--root-dir":        k.dataDir,
@@ -189,7 +188,7 @@ func (k *Kubelet) Start(ctx context.Context) error {
 		args["--cert-dir"] = "C:\\var\\lib\\k0s\\kubelet_certs"
 	} else {
 		kubeletConfigData.CgroupsPerQOS = true
-		kubeletConfigData.ResolvConf = resolvConfPath
+		kubeletConfigData.ResolvConf = determineKubeletResolvConfPath()
 	}
 
 	if k.CRISocket != "" {
@@ -344,3 +343,70 @@ func validateTaintEffect(effect corev1.TaintEffect) error {
 
 	return nil
 }
+
+// determineKubeletResolvConfPath returns the path to the resolv.conf file that
+// the kubelet should use.
+func determineKubeletResolvConfPath() string {
+	path := "/etc/resolv.conf"
+
+	// https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
+	// If it's likely that resolv.conf is pointing to a systemd-resolved
+	// nameserver, that nameserver won't be reachable from within containers.
+	// Try to use the alternative resolv.conf path used by systemd-resolved instead.
+	detected, err := hasSystemdResolvedNameserver(path)
+	if err != nil {
+		logrus.WithError(err).Infof("Error while trying to detect the presence of systemd-resolved, using resolv.conf: %s", path)
+		return path
+	}
+
+	if detected {
+		alternatePath := "/run/systemd/resolve/resolv.conf"
+		logrus.Infof("The file %s looks like it's managed by systemd-resolved, using resolv.conf: %s", path, alternatePath)
+		return alternatePath
+	}
+
+	logrus.Infof("Using resolv.conf: %s", path)
+	return path
+}
+
+// hasSystemdResolvedNameserver parses the given resolv.conf file and checks if
+// it contains 127.0.0.53 as the only nameserver. Then it is assumed to be
+// systemd-resolved managed.
+func hasSystemdResolvedNameserver(resolvConfPath string) (bool, error) {
+	f, err := os.Open(resolvConfPath)
+	if err != nil {
+		return false, err
+	}
+
+	defer f.Close()
+
+	// This is roughly how glibc and musl do it: check for "nameserver" followed
+	// by whitespace, then try to parse the next bytes as IP address,
+	// disregarding anything after any additional whitespace.
+	// https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_init.c;h=cce842fa9311c5bdba629f5e78c19746f75ef18e;hb=refs/tags/glibc-2.37#l396
+	// https://git.etalabs.net/cgit/musl/tree/src/network/resolvconf.c?h=v1.2.3#n62
+
+	nameserverLine := regexp.MustCompile(`^nameserver\s+(\S+)`)
+
+	lines := bufio.NewScanner(f)
+	systemdResolvedIPSeen := false
+	for lines.Scan() {
+		match := nameserverLine.FindSubmatch(lines.Bytes())
+		if len(match) < 1 {
+			continue
+		}
+		ip := net.ParseIP(string(match[1]))
+		if ip == nil {
+			continue
+		}
+		if systemdResolvedIPSeen || !ip.Equal(net.IP{127, 0, 0, 53}) {
+			return false, nil
+		}
+		systemdResolvedIPSeen = true
+	}
+	if err := lines.Err(); err != nil {
+		return false, err
+	}
+
+	return systemdResolvedIPSeen, nil
+}

pkg/component/worker/kubelet_test.go

@@ -17,9 +17,13 @@ limitations under the License.
 package worker
 
 import (
-	corev1 "k8s.io/api/core/v1"
+	"os"
+	"path/filepath"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -123,3 +127,52 @@ func TestParseTaints(t *testing.T) {
 		require.Equal(t, c.expectedTaint, taint)
 	}
 }
+
+func TestHasSystemdResolvedNameserver(t *testing.T) {
+	t.Run("nonexistent_file", func(t *testing.T) {
+		path := filepath.Join(t.TempDir(), "resolv.conf")
+		detected, err := hasSystemdResolvedNameserver(path)
+		assert.ErrorIs(t, err, os.ErrNotExist)
+		assert.False(t, detected)
+	})
+
+	for _, test := range []struct {
+		name     string
+		content  string
+		expected bool
+	}{
+		{"empty_file", "", false},
+		{"no_nameservers", "search example.com\n", false},
+		{"whitespace", "  nameserver\t127.0.0.53   ", false}, // no whitespace allowed in front of keywords
+		{"trailing_nonsense", "nameserver\t127.0.0.53  you won't look at me, right?", true},
+		{
+			"multiple_nameservers_systemd_resolved_first",
+			"nameserver 127.0.0.53\nsearch example.com\nnameserver 1.2.3.4",
+			false,
+		},
+		{
+			"multiple_nameservers_systemd_resolved_second",
+			"nameserver 1.2.3.4\nnameserver 127.0.0.53\nsearch example.com",
+			false,
+		},
+		{
+			"commented_nameserver",
+			"search example.com\nnameserver 127.0.0.53\n#nameserver 1.2.3.4",
+			true,
+		},
+		{
+			"comment_after_nameserver",
+			"search example.com\nnameserver 127.0.0.53 # not 1.2.3.4",
+			true,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			path := filepath.Join(t.TempDir(), "resolv.conf")
+			require.NoError(t, os.WriteFile(path, []byte(test.content), 0644))
+			detected, err := hasSystemdResolvedNameserver(path)
+			if assert.NoError(t, err) {
+				assert.Equal(t, test.expected, detected)
+			}
+		})
+	}
+}