conlink 2.5.6 → 2.5.8

package/README.md

@@ -2,6 +2,7 @@
 
 [![npm](https://img.shields.io/npm/v/conlink.svg)](https://www.npmjs.com/package/conlink)
 [![docker](https://img.shields.io/docker/v/lonocloud/conlink.svg)](https://hub.docker.com/r/lonocloud/conlink)
+[![Push (compose tests)](https://github.com/Viasat/conlink/actions/workflows/push.yml/badge.svg)](https://github.com/Viasat/conlink/actions/workflows/push.yml)
 
 ## Declarative Low-Level Networking for Containers
 
@@ -38,22 +39,22 @@ services:
         - {bridge: s1, ip: 10.0.1.1/24}
 ```
 
-Check out the [runnable examples](https://github.com/LonoCloud/conlink/tree/master/examples)
-for more ideas on what is possible. [This guide](https://lonocloud.github.io/conlink/#/guides/examples)
+Check out the [runnable examples](https://github.com/Viasat/conlink/tree/master/examples)
+for more ideas on what is possible. [This guide](https://viasat.github.io/conlink/#/guides/examples)
 walks through how to run each example.
 
-The [reference documentation](https://lonocloud.github.io/conlink/#/reference/network-configuration-syntax)
-contains the full list of configuration options. Be sure to also read [usage notes](https://lonocloud.github.io/conlink/#/usage-notes),
+The [reference documentation](https://viasat.github.io/conlink/#/reference/network-configuration-syntax)
+contains the full list of configuration options. Be sure to also read [usage notes](https://viasat.github.io/conlink/#/usage-notes),
 which highlight some unique aspects of using conlink-provided networking.
 
 Conlink also includes tools that make docker compose a much more
 powerful development and testing environment (refer to
-[Compose Tools](https://lonocloud.github.io/conlink/#/guides/compose-tools) for
+[Compose Tools](https://viasat.github.io/conlink/#/guides/compose-tools) for
 details):
 
-* [mdc](https://lonocloud.github.io/conlink/#/guides/compose-tools?id=mdc): modular management of multiple compose configurations
-* [wait](https://lonocloud.github.io/conlink/#/guides/compose-tools?id=wait): wait for network and file conditions before continuing
-* [copy](https://lonocloud.github.io/conlink/#/guides/compose-tools?id=copy): recursively copy files with variable templating
+* [mdc](https://viasat.github.io/conlink/#/guides/compose-tools?id=mdc): modular management of multiple compose configurations
+* [wait](https://viasat.github.io/conlink/#/guides/compose-tools?id=wait): wait for network and file conditions before continuing
+* [copy](https://viasat.github.io/conlink/#/guides/compose-tools?id=copy): recursively copy files with variable templating
 
 ## Why conlink?
 
@@ -88,7 +89,7 @@ Conlink has the following features:
 
 General:
 * docker
-* docker-compose version 1.25.4 or later.
+* docker-compose v2
 
 Other:
 * For Open vSwtich (OVS) bridging, the `openvswitch` kernel module

package/conlink

@@ -8,4 +8,4 @@ die() { echo >&2 "${*}"; exit 1; }
 
 [ -e "${NBB}" ] || die "Missing ${NBB}. Maybe run 'npm install' in ${TOP_DIR}?"
 
-exec ${NBB} -cp "${TOP_DIR}/src" -m conlink.core/main "${@}"
+NODE_PATH="${TOP_DIR}/node_modules" exec ${NBB} -cp "${TOP_DIR}/src" -m conlink.core/main "${@}"

package/docs/guides/examples.md

@@ -1,6 +1,6 @@
 # Examples
 
-The [examples](https://github.com/LonoCloud/conlink/tree/master/examples)
+The [examples](https://github.com/Viasat/conlink/tree/master/examples)
 directory contains the necessary files to follow along below.
 
 The examples also require a conlink docker image. Build the image for both
@@ -286,6 +286,9 @@ sub-interface of the same host (using VLAN ID/tag 5). Static NAT
 address/interface to the internal address/interface (dummy) where the
 web server is running.
 
+NOTE: The conlink container runs in full privileged mode in order to
+be able to create vlans in the root namespace.
+
 Create an environment file with the name of the parent host interface
 and the external IP addresses to assign to each container:
 
@@ -415,3 +418,61 @@ interfaces to be configured before continuing. Finally the `client`
 service also uses `wait` to probe the `webserver` until it accepts
 TCP connections on port 8080 before, and then it starts its main loop
 that repeatedly requests a templated file from the `webserver`.
+
+## test12: kubernetes (k3s)
+
+This example demonstrates the use of a kubernetes k3s cluster running
+in conlink and communicating with other compose services. It also
+leverage multiple `mdc` modes/modules and the `wait` command.
+
+NOTE: The k3s containers run in full privileged mode in order to use
+overlayfs mounts inside the containers. The conlink container must
+also run in privileged mode in order to create veth endpoints in the
+k3s containers.
+
+For convenience, export `MODES_DIR` and create a KUBECTL function that
+will run kubectl in the `k3s-server` container.
+
+```
+export MODES_DIR=./examples/test12-k3s/modes
+KUBECTL() { ./mdc k3s exec k3s-server kubectl "${@}"; }
+```
+
+Start the test12 compose configuration:
+
+```
+./mdc k3s up --build --force-recreate -d
+```
+
+Wait until the nodes are up and the kube-system pods are "Running":
+
+```
+KUBECTL get -w nodes
+KUBECTL get -w pods -A
+```
+
+Deploy an nginx web proxy that will forward web requests to port 8080
+of the top-level `test-server` service (non-kubernetes).
+
+```
+KUBECTL apply -f /test/k3s-web-proxy.yaml
+```
+
+Get the IP of the deployed web-proxy service:
+
+```
+SVC_IP=$(KUBECTL -n nettest get svc/web-proxy -o jsonpath='{.spec.clusterIP}')
+```
+
+From the `test-client` container, do an HTTP GET request to the
+`test-server` container via the k3s deployed nginx proxy:
+
+```
+./mdc k3s exec test-client wget -q -O- http://${SVC_IP}:80/README.md | head -n10
+```
+
+Show the logs of all non-probe web requests to the proxy:
+
+```
+KUBECTL -n nettest logs deploy/web-proxy | grep -v kube-probe
+```

package/docs/index.html

@@ -14,8 +14,8 @@
   <script>
     window.$docsify = {
       name: 'conlink',
-      repo: 'LonoCloud/conlink',
-      homepage: 'https://raw.githubusercontent.com/LonoCloud/conlink/master/README.md',
+      repo: 'Viasat/conlink',
+      homepage: 'https://raw.githubusercontent.com/Viasat/conlink/master/README.md',
       // Uncomment to follow a symlink to root README.md and test rendering locally
       //homepage: '_render-local-README.md',
 

package/examples/test12-k3s/k3s-init.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+set -eu
+
+ROLE=$1; shift
+
+# Point CRI’s default CNI paths at where k3s actually puts them
+mkdir -p /opt/cni /etc/cni
+ln -sfn /var/lib/rancher/k3s/data/cni                 /opt/cni/bin
+ln -sfn /var/lib/rancher/k3s/agent/etc/cni/net.d      /etc/cni/net.d
+
+mkdir -p /var/lib/rancher/k3s/agent/etc/containerd/
+cat > /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl <<EOF
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+  SystemdCgroup = false
+
+[plugins."io.containerd.grpc.v1.cri".cni]
+  bin_dir  = "/var/lib/rancher/k3s/data/cni"
+  conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d"
+EOF
+
+K3S_ARGS=""
+# Common kubelet arguments to fix cgroup issues
+# NOTE: still has periodic "Failed to kill all the processes attached to cgroup" log message
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=cgroup-driver=cgroupfs"
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=feature-gates=KubeletInUserNamespace=true"
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=fail-swap-on=false"
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=cgroup-root=/"
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=runtime-cgroups=/systemd/system.slice"
+K3S_ARGS="${K3S_ARGS} --kubelet-arg=kubelet-cgroups=/systemd/system.slice"
+
+echo exec k3s "${ROLE}" ${K3S_ARGS} "$@"
+exec k3s "${ROLE}" ${K3S_ARGS} "$@"
+

package/examples/test12-k3s/k3s-web-proxy.yaml

@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nettest
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: web-proxy-nginx
+  namespace: nettest
+data:
+  nginx.conf: |
+    events {}
+    http {
+      # Structured access log to stdout so you can `kubectl logs -f`
+      log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
+                      'upstream=$upstream_addr upstream_status=$upstream_status '
+                      'rt=$request_time urt=$upstream_response_time';
+      access_log /dev/stdout main;
+      error_log  /dev/stderr warn;
+
+      server {
+        listen 80;
+        location / {
+          proxy_pass http://10.200.0.11:8080;
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_connect_timeout 2s;
+          proxy_read_timeout 10s;
+        }
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-proxy
+  namespace: nettest
+spec:
+  replicas: 1                   # start with 1 for easier tracing
+  selector:
+    matchLabels: { app: web-proxy }
+  template:
+    metadata:
+      labels: { app: web-proxy }
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.27-alpine
+          ports: [ { containerPort: 80, name: http } ]
+          volumeMounts:
+            - name: cfg
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+          readinessProbe:
+            httpGet: { path: /, port: http }
+            initialDelaySeconds: 2
+            periodSeconds: 3
+          livenessProbe:
+            httpGet: { path: /, port: http }
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      volumes:
+        - name: cfg
+          configMap: { name: web-proxy-nginx }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: web-proxy
+  namespace: nettest
+spec:
+  selector: { app: web-proxy }
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+  type: ClusterIP
+

package/examples/test12-k3s/modes/base/compose.yaml

@@ -0,0 +1,22 @@
+services:
+  extract-utils:
+    build: {context: .}
+    user: ${USER_ID:-0}:${GROUP_ID:-0}
+    network_mode: none
+    volumes:
+      - ./utils:/conlink_utils
+    command: cp /utils/wait /utils/wait.sh /utils/copy /utils/copy.sh /utils/echo /conlink_utils/
+
+  network:
+    build: {context: .}
+    pid: host
+    network_mode: none
+    #cap_add: [SYS_ADMIN, NET_ADMIN, SYS_NICE, NET_BROADCAST, IPC_LOCK]
+    privileged: true
+    security_opt: [ 'apparmor:unconfined' ] # needed on Ubuntu 18.04
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker:/var/lib/docker
+      - ./:/test
+    working_dir: /test
+    command: /app/build/conlink.js --compose-file ${COMPOSE_FILE:?COMPOSE_FILE must be set}

package/examples/test12-k3s/modes/k3s/compose.yaml

@@ -0,0 +1,73 @@
+x-network:
+  bridges:
+    - { bridge: k0, mode: linux }
+  links:
+    - { service: k3s-server,   bridge: k0, dev: eth1, ip: 10.200.0.1/24 }
+    - { service: k3s-agent-1,  bridge: k0, dev: eth1, ip: 10.200.0.2/24 }
+    - { service: k3s-agent-2,  bridge: k0, dev: eth1, ip: 10.200.0.3/24 }
+    - { service: test-client,  bridge: k0, dev: eth1, ip: 10.200.0.10/24,
+        route: ["10.42.0.0/15 via 10.200.0.2 dev eth1"] }
+    - { service: test-server,  bridge: k0, dev: eth1, ip: 10.200.0.11/24,
+        route: ["10.42.0.0/15 via 10.200.0.2 dev eth1"] }
+
+x-k3s-base: &k3s-base
+    depends_on: {extract-utils: {condition: service_completed_successfully}}
+    image: rancher/k3s:latest
+    privileged: true
+    cgroup: host
+    volumes:
+      - ./utils:/utils:ro
+      - /dev:/dev
+      - ./examples/test12-k3s/:/test:ro
+      # cgroup quirks
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      # To write kubeconfig to the host
+      #- ./k3s-output:/output
+    entrypoint: /utils/wait -i eth1 -- /test/k3s-init.sh
+
+services:
+  # Main k3s server
+  k3s-server:
+    <<: *k3s-base
+    hostname: k3s-server
+    # To expose kubernetes control API on the host
+    #ports:
+    #  - "6443:6443" # kubernetes API
+    environment:
+      # To write kubeconfig on host for external kubectl
+      #- K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml
+      #- K3S_KUBECONFIG_MODE=644
+      # fixed token for adding agents
+      - K3S_TOKEN=changeme-secret-token
+    command: server --disable=traefik --disable=servicelb
+
+  # k3s Agents
+  k3s-agent-1:
+    <<: *k3s-base
+    hostname: k3s-agent-1
+    environment:
+      - K3S_URL=https://k3s-server:6443
+      - K3S_TOKEN=changeme-secret-token
+    command: agent
+
+  k3s-agent-2:
+    <<: *k3s-base
+    hostname: k3s-agent-2
+    environment:
+      - K3S_URL=https://k3s-server:6443
+      - K3S_TOKEN=changeme-secret-token
+    command: agent
+
+  ### For testing two way communication
+  test-client:
+    image: alpine
+    network_mode: none
+    command: sleep infinity
+
+  test-server:
+    image: python
+    network_mode: none
+    volumes:
+      - ./:/top
+    working_dir: /top
+    command: python3 -m http.server 8080

package/examples/test12-k3s/modes/k3s/deps

@@ -0,0 +1 @@
+base

package/examples/test6-cfn.yaml

@@ -89,7 +89,7 @@ Resources:
 
         ## Download conlink image and repo
         docker pull lonocloud/conlink
-        git clone https://github.com/LonoCloud/conlink /root/conlink
+        git clone https://github.com/Viasat/conlink /root/conlink
         cd /root/conlink
 
         #cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource WaitHandle

package/mdc

@@ -15,7 +15,7 @@ ENV_FILE="${ENV_FILE:-.env}"
 MDC_FILES_DIR="${MDC_FILES_DIR:-./.files}"
 LS=$(which ls)
 RESOLVE_DEPS="${RESOLVE_DEPS-./node_modules/@lonocloud/resolve-deps/resolve-deps.py}"
-DOCKER_COMPOSE="${DOCKER_COMPOSE:-docker-compose}"
+DOCKER_COMPOSE="${DOCKER_COMPOSE:-docker compose}"
 
 which ${RESOLVE_DEPS} >/dev/null 2>/dev/null \
   || die "Missing ${RESOLVE_DEPS}. Perhaps 'npm install'?"

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "conlink",
-  "version": "2.5.6",
+  "version": "2.5.8",
   "description": "conlink -  Declarative Low-Level Networking for Containers",
-  "repository": "https://github.com/LonoCloud/conlink",
+  "repository": "https://github.com/Viasat/conlink",
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "@lonocloud/resolve-deps": "^0.1.0",
     "ajv": "^8.12.0",
-    "dockerode": "^3.3.4",
+    "dockerode": "^4.0.9",
     "nbb": "^1.2.179",
     "neodoc": "^2.0.2",
     "ts-graphviz": "^1.8.1",
     "yaml": "^2.2.1"
   },
   "devDependencies": {
-    "@lonocloud/dctest": "^0.3.1",
+    "@lonocloud/dctest": "^0.5.0",
     "docsify-cli": "^4.4.4",
     "shadow-cljs": "^2.25.7",
     "source-map-support": "^0.5.21"

package/scripts/copy.sh

@@ -25,7 +25,7 @@ dst_dir="${1}"; shift || die 2 "Usage: ${0} [-T|--template] SRC_DIR DST_DIR"
   echo cp -a "${src}" "${dst}"
   cp -a "${src}" "${dst}" || die 1 "Failed to copy file"
   # TODO: make this configurable
-  chown root.root "${dst}" || die 1 "Unable to set ownership"
+  chown root:root "${dst}" || die 1 "Unable to set ownership"
   chmod +w "${dst}" || die 1 "Unable to make writable"
 
   [ -z "${TEMPLATE}" ] && continue

package/src/conlink/addrs.cljc

@@ -6,7 +6,7 @@
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Network Address functions
-;; - based on github.com/LonoCloud/clj-protocol
+;; - based on github.com/Viasat/clj-protocol
 
 (defn num->string [n base]
   #?(:cljs  (.toString n base)

package/src/conlink/core.cljs

@@ -680,6 +680,21 @@ General Options:
         client)
       #(warn "Could not start docker client on '" path "': " %))))
 
+(defn docker-event-stream-handler
+  "Handle docker event stream chunks (newline-delimited JSON)."
+  [event-callback buf-atom chunk]
+  (let [data (str @buf-atom (.toString chunk "utf8"))
+        parts (js->clj (.split data "\n"))
+        tail (last parts)
+        events (butlast parts)]
+    (reset! buf-atom tail)
+    (doseq [line events
+            :when (not (S/blank? line))]
+      (try
+        (event-callback (->clj (js/JSON.parse line)))
+        (catch :default e
+          ((:error @ctx) "Could not parse docker event" line e))))))
+
 (defn docker-listen
   "Listen for docker events from 'client' that match filter 'filters'.
   Calls 'event-callback' function with each decoded event map."
@@ -688,11 +703,15 @@ General Options:
     (P/catch
       (P/let
         [ev-stream ^obj (.getEvents client #js {:filters (json-str filters)})
+         buf (atom "")
          _ ^obj (.on ev-stream "data"
-                     #(event-callback client (->clj (js/JSON.parse %))))]
+                     (partial docker-event-stream-handler
+                              (partial event-callback client)
+                              buf))]
         ev-stream)
       #(error "Could not start docker listener"))))
 
+
 (defn link-repr [{:keys [type dev remote outer-dev bridge ip dev-id]}]
   (str dev-id
        (if remote
@@ -788,19 +807,23 @@ General Options:
   the links for that container and then run any commmands defined for
   the container. Finally call all-connected-check to check and notify
   if all containers/services are connected."
-  [client {:keys [status id]}]
+  [client {:keys [status id] :as evt}]
   (P/let
     [{:keys [log info network-config network-state compose-opts self-pid]} @ctx
-     container-obj (get-container client id)
-     container-data (if (= "die" status)
-                      (P/let [ci (get-in network-state [:containers id])]
-                        (swap! ctx update-in [:network-state :containers]
-                               dissoc id)
-                        ci)
-                      (P/let [ci (query-container-data container-obj)]
-                        (swap! ctx update-in [:network-state :containers]
-                               assoc id ci)
-                        ci))
+     status (or status (:Action evt))
+     id (or id (:ID evt) (get-in evt [:Actor :ID]) (get-in evt [:Actor :id]))
+     container-obj (when (and status id) (get-container client id))
+     container-data (if (or (not status) (not id))
+                      nil
+                      (if (= "die" status)
+                        (P/let [ci (get-in network-state [:containers id])]
+                          (swap! ctx update-in [:network-state :containers]
+                                 dissoc id)
+                          ci)
+                        (P/let [ci (query-container-data container-obj)]
+                          (swap! ctx update-in [:network-state :containers]
+                                 assoc id ci)
+                          ci)))
      {cname :name clabels :labels} container-data
 
      svc-match? (and (let [p (:project compose-opts)]
@@ -812,19 +835,21 @@ General Options:
                 (get-in network-config [:services (:service clabels)]))
      links (concat (:links containers) (:links services))
      commands (concat (:commands containers) (:commands services))]
-    (if (and (not (seq links)) (not (seq commands)))
-      (info (str "Event: no matching config for " cname ", ignoring"))
-      (P/do
-        (info "Event:" status cname id)
-        (P/all (for [link links
-                     :let [link (link-instance-enrich
-                                  link container-data self-pid)]]
-                 (modify-link link status)))
-        (when (= "start" status)
-          (P/all (for [{:keys [command]} commands]
-                   (exec-command cname container-obj command))))
-
-        (all-connected-check)))))
+    (if (or (not status) (not id))
+      nil
+      (if (and (not (seq links)) (not (seq commands)))
+        (info (str "Event: no matching config for " cname ", ignoring"))
+        (P/do
+          (info "Event:" status cname id)
+          (P/all (for [link links
+                       :let [link (link-instance-enrich
+                                    link container-data self-pid)]]
+                   (modify-link link status)))
+          (when (= "start" status)
+            (P/all (for [{:keys [command]} commands]
+                     (exec-command cname container-obj command))))
+
+          (all-connected-check))))))
 
 (defn exit-handler
   "When the process is exiting, delete all links and bridges that are

package/test/test12.yaml

@@ -0,0 +1,50 @@
+name: "test12: k3s (kubernetes) and nginx proxy"
+
+env:
+  DC: "${{ process.env.DOCKER_COMPOSE || 'docker compose' }}"
+  MODES_DIR: examples/test12-k3s/modes
+
+tests:
+  test12:
+    name: "deploy and test nginx proxy in k3s (kubernetes)"
+    steps:
+      - exec: :host
+        run: |
+          ./mdc k3s
+          ${DC} down --remove-orphans --volumes -t1
+          ${DC} up -d --force-recreate
+
+      # Wait for conlink and k3s to start up
+      - exec: :host
+        run: |
+          echo "waiting for conlink startup"
+          ${DC} logs network | grep "All links connected"
+        repeat: { retries: 30, interval: '1s' }
+      - exec: k3s-server
+        run: kubectl get nodes 2>/dev/null | grep -c ' Ready ' | grep "^[345]"
+        repeat: { retries: 30, interval: '2s' }
+      - exec: k3s-server
+        run: kubectl get pods -n kube-system 2>/dev/null | grep -c ' Running ' | grep "^[345]"
+        repeat: { retries: 30, interval: '2s' }
+
+      # apply the proxy
+      - exec: k3s-server
+        run: |
+          kubectl apply -f /test/k3s-web-proxy.yaml
+
+      # test two-way traffic through the proxy
+      - id: svc_ip
+        exec: k3s-server
+        run: |
+          kubectl -n nettest get svc/web-proxy -o jsonpath='{.spec.clusterIP}'
+        outputs:
+          SVC_IP: ${{ step.stdout }}
+      - exec: test-client
+        run: |
+          set -o pipefail
+          URL=http://${{ steps['svc_ip'].outputs.SVC_IP }}:80/README.md
+          wget -q -O- ${URL} | head -n10
+        repeat: { retries: 5, interval: '3s' }
+
+      - exec: :host
+        run: ${DC} down --remove-orphans --volumes -t1