add cni networking support

[tonistiigi]

based on the @kunalkushwaha earlier implementation

The integration tests now use bridge networking by default. Plan is to make it default in the release image as well in follow-up.

Signed-off-by: Tonis Tiigi tonistiigi@gmail.com

[tonistiigi]

Saw CNI setup error: failed to set bridge addr: could not add IP address to "buildkit0": file exists in the CI. Does anyone have ideas? Should I guard the cni setup with a lockfile?

[crosbymichael]

I guess the setup needs to be locked so that it does not try to create the bridge when two initialization are running. It maybe better to init the bridge separately at boot instead of on-demand when a container needs it. You could probably do this by creating a temp netns and initializing it

[tonistiigi]

@crosbymichael Do I need to keep this ns running then or can I just setup and then remove it. First one would make it tricky to avoid leaks.

[tonistiigi]

In the tests multiple daemons will use the same bridge so even this temp ns would probably need to be protected. So a lockfile still seems like a way to go.

[crosbymichael]

You can just create an initial netns so that the bridge is initialized at boot then destroy it.

[crosbymichael]

why are you making two different paths for OCI and containerd cni binaries? I think it would be safe to just have one dir

[tonistiigi]

from a data structure perspective workers should be isolated, eg. there should be a remote worker in the future that could run on a different machine (and different net config). So I want these values to be tied to the worker, not to the builder instance.

[tonistiigi]

@crosbymichael I've switched the ns creation implementation over to go:linkname from reexec. PTAL

[crosbymichael]

namespace changes LGTM

[tiborvass]

vim ?

[tonistiigi]

there is a new dev target

[tiborvass]

Ping @AkihiroSuda