Added fields `chain` and `excludeDevices` to `PortMapper`. Review: https://reviews.apache.org/r/51736/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/fba4c1e8 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/fba4c1e8 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/fba4c1e8 Branch: refs/heads/master Commit: fba4c1e85c4417c79764dd5858192851b2e0eabd Parents: 06d2e23 Author: Avinash sridharan <avin...@mesosphere.io> Authored: Wed Oct 12 09:11:30 2016 -0700 Committer: Jie Yu <yujie....@gmail.com> Committed: Wed Oct 12 10:59:45 2016 -0700 ---------------------------------------------------------------------- .../cni/plugins/port_mapper/port_mapper.cpp | 28 +++++++++++++++++++- .../cni/plugins/port_mapper/port_mapper.hpp | 22 +++++++++++++-- 2 files changed, 47 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/fba4c1e8/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp index 0ecf64f..836fed5 100644 --- a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp +++ b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp @@ -20,6 +20,7 @@ #include "slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp" using std::string; +using std::vector; using process::Future; using process::Owned; @@ -91,6 +92,29 @@ Try<Owned<PortMapper>> PortMapper::create(const string& _cniConfig) ERROR_BAD_ARGS)); } + vector<string> excludeDevices; + + Result<JSON::Array> _excludeDevices = + cniConfig->find<JSON::Array>("excludeDevices"); + + if (_excludeDevices.isError()) { + return Error(spec::error( + "Failed to parse field 'excludeDevices': " + + _excludeDevices.error(), + ERROR_BAD_ARGS)); + } else if (_excludeDevices.isSome()) { + foreach (const JSON::Value& value, _excludeDevices->values) { + if (!value.is<JSON::String>()) { + return Error(spec::error( + "Failed to parse 'excludeDevices' list. " + "The excluded device needs to be a string", + ERROR_BAD_ARGS)); + } + + excludeDevices.push_back(value.as<JSON::String>().value); + } + } + // While the 'args' field is optional in the CNI spec it is critical // to the port-mapper plugin to learn of any port-mappings that the // framework might have requested for this container. @@ -175,7 +199,9 @@ Try<Owned<PortMapper>> PortMapper::create(const string& _cniConfig) cniPath.get(), networkInfo.get(), delegatePlugin->value, - delegateConfig.get())); + delegateConfig.get(), + chain->value, + excludeDevices)); } http://git-wip-us.apache.org/repos/asf/mesos/blob/fba4c1e8/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp index 8554753..b943254 100644 --- a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp +++ b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp @@ -97,7 +97,9 @@ private: const std::string& _cniPath, // Paths to search for CNI plugins. const mesos::NetworkInfo& _networkInfo, const std::string& _delegatePlugin, - const JSON::Object& _delegateConfig) + const JSON::Object& _delegateConfig, + const std::string& _chain, + const std::vector<std::string>& _excludeDevices) : cniCommand(_cniCommand), cniContainerId(_cniContainerId), cniNetNs(_cniNetNs), @@ -106,7 +108,9 @@ private: cniPath(_cniPath), networkInfo(_networkInfo), delegatePlugin(_delegatePlugin), - delegateConfig(_delegateConfig) {}; + delegateConfig(_delegateConfig), + chain(_chain), + excludeDevices(_excludeDevices){}; const std::string cniCommand; const Option<std::string> cniContainerId; @@ -114,9 +118,23 @@ private: const std::string cniIfName; const Option<std::string> cniArgs; const std::string cniPath; + const mesos::NetworkInfo networkInfo; + const std::string delegatePlugin; const JSON::Object delegateConfig; + + // The iptable chain to which the DNAT rules need to be added. We + // need a separate chain, so that we can group the DNAT rules + // specific to this CNI network under this chain. It makes it easier + // for the operator to analyze the ownership of these rules if they + // are grouped under a chain that the operator is aware is used by + // the CNI plugin. + const std::string chain; + + // List of ingress devices that should be excluded from the DNAT + // rules. + const std::vector<std::string> excludeDevices; }; } // namespace cni {