Windows Support

Patch for https://github.com/containernetworking/plugins/pull/85

+ Windows cni plugins are added
   (*) win-bridge (hostgw)
   (*) win-overlay (vxlan)
+ Windows netconf unit test
+ Fix appveyor config to run the test
+ Build release support for windows plugins

Address comments

From:
    - https://github.com/containernetworking/plugins/pull/85
    - 0049c64e3f

pkg/hns/endpoint_windows.go

@@ -0,0 +1,152 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hns
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/juju/errors"
+)
+
+const (
+	pauseContainerNetNS = "none"
+)
+
+// GetSandboxContainerID returns the sandbox ID of this pod
+func GetSandboxContainerID(containerID string, netNs string) string {
+	if len(netNs) != 0 && netNs != pauseContainerNetNS {
+		splits := strings.SplitN(netNs, ":", 2)
+		if len(splits) == 2 {
+			containerID = splits[1]
+		}
+	}
+
+	return containerID
+}
+
+// ConstructEndpointName constructs enpointId which is used to identify an endpoint from HNS
+// There is a special consideration for netNs name here, which is required for Windows Server 1709
+// containerID is the Id of the container on which the endpoint is worked on
+func ConstructEndpointName(containerID string, netNs string, networkName string) string {
+	return GetSandboxContainerID(containerID, netNs) + "_" + networkName
+}
+
+// DeprovisionEndpoint removes an endpoint from the container by sending a Detach request to HNS
+// For shared endpoint, ContainerDetach is used
+// for removing the endpoint completely, HotDetachEndpoint is used
+func DeprovisionEndpoint(epName string, netns string, containerID string) error {
+	if len(netns) == 0 {
+		return nil
+	}
+
+	hnsEndpoint, err := hcsshim.GetHNSEndpointByName(epName)
+	if err != nil {
+		return errors.Annotatef(err, "failed to find HNSEndpoint %s", epName)
+	}
+
+	if netns != pauseContainerNetNS {
+		// Shared endpoint removal. Do not remove the endpoint.
+		hnsEndpoint.ContainerDetach(containerID)
+		return nil
+	}
+
+	// Do not consider this as failure, else this would leak endpoints
+	hcsshim.HotDetachEndpoint(containerID, hnsEndpoint.Id)
+
+	// Do not return error
+	hnsEndpoint.Delete()
+
+	return nil
+}
+
+type EndpointMakerFunc func() (*hcsshim.HNSEndpoint, error)
+
+// ProvisionEndpoint provisions an endpoint to a container specified by containerID.
+// If an endpoint already exists, the endpoint is reused.
+// This call is idempotent
+func ProvisionEndpoint(epName string, expectedNetworkId string, containerID string, makeEndpoint EndpointMakerFunc) (*hcsshim.HNSEndpoint, error) {
+	// check if endpoint already exists
+	createEndpoint := true
+	hnsEndpoint, err := hcsshim.GetHNSEndpointByName(epName)
+	if hnsEndpoint != nil && hnsEndpoint.VirtualNetwork == expectedNetworkId {
+		createEndpoint = false
+	}
+
+	if createEndpoint {
+		if hnsEndpoint != nil {
+			if _, err = hnsEndpoint.Delete(); err != nil {
+				return nil, errors.Annotate(err, "failed to delete the stale HNSEndpoint")
+			}
+		}
+
+		if hnsEndpoint, err = makeEndpoint(); err != nil {
+			return nil, errors.Annotate(err, "failed to make a new HNSEndpoint")
+		}
+
+		if hnsEndpoint, err = hnsEndpoint.Create(); err != nil {
+			return nil, errors.Annotate(err, "failed to create the new HNSEndpoint")
+		}
+
+	}
+
+	// hot attach
+	if err := hcsshim.HotAttachEndpoint(containerID, hnsEndpoint.Id); err != nil {
+		if hcsshim.ErrComputeSystemDoesNotExist == err {
+			return hnsEndpoint, nil
+		}
+
+		return nil, err
+	}
+
+	return hnsEndpoint, nil
+}
+
+// ConstructResult constructs the CNI result for the endpoint
+func ConstructResult(hnsNetwork *hcsshim.HNSNetwork, hnsEndpoint *hcsshim.HNSEndpoint) (*current.Result, error) {
+	resultInterface := &current.Interface{
+		Name: hnsEndpoint.Name,
+		Mac:  hnsEndpoint.MacAddress,
+	}
+	_, ipSubnet, err := net.ParseCIDR(hnsNetwork.Subnets[0].AddressPrefix)
+	if err != nil {
+		return nil, errors.Annotatef(err, "failed to parse CIDR from %s", hnsNetwork.Subnets[0].AddressPrefix)
+	}
+
+	var ipVersion string
+	if ipv4 := hnsEndpoint.IPAddress.To4(); ipv4 != nil {
+		ipVersion = "4"
+	} else if ipv6 := hnsEndpoint.IPAddress.To16(); ipv6 != nil {
+		ipVersion = "6"
+	} else {
+		return nil, fmt.Errorf("IPAddress of HNSEndpoint %s isn't a valid ipv4 or ipv6 Address", hnsEndpoint.Name)
+	}
+
+	resultIPConfig := &current.IPConfig{
+		Version: ipVersion,
+		Address: net.IPNet{
+			IP:   hnsEndpoint.IPAddress,
+			Mask: ipSubnet.Mask},
+		Gateway: net.ParseIP(hnsEndpoint.GatewayAddress),
+	}
+	result := &current.Result{}
+	result.Interfaces = []*current.Interface{resultInterface}
+	result.IPs = []*current.IPConfig{resultIPConfig}
+
+	return result, nil
+}

pkg/hns/netconf.go

@@ -0,0 +1,152 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hns
+
+import (
+	"encoding/json"
+	"strings"
+
+	"bytes"
+	"github.com/buger/jsonparser"
+	"github.com/containernetworking/cni/pkg/types"
+)
+
+// NetConf is the CNI spec
+type NetConf struct {
+	types.NetConf
+
+	Policies []policy `json:"policies,omitempty"`
+}
+
+type policy struct {
+	Name  string          `json:"name"`
+	Value json.RawMessage `json:"value"`
+}
+
+// MarshalPolicies converts the Endpoint policies in Policies
+// to HNS specific policies as Json raw bytes
+func (n *NetConf) MarshalPolicies() []json.RawMessage {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	result := make([]json.RawMessage, 0, len(n.Policies))
+	for _, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		result = append(result, p.Value)
+	}
+
+	return result
+}
+
+// ApplyOutboundNatPolicy applies NAT Policy in VFP using HNS
+// Simultaneously an exception is added for the network that has to be Nat'd
+func (n *NetConf) ApplyOutboundNatPolicy(nwToNat string) {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	nwToNatBytes := []byte(nwToNat)
+
+	for i, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		typeValue, err := jsonparser.GetUnsafeString(p.Value, "Type")
+		if err != nil || len(typeValue) == 0 {
+			continue
+		}
+
+		if !strings.EqualFold(typeValue, "OutBoundNAT") {
+			continue
+		}
+
+		exceptionListValue, dt, _, _ := jsonparser.Get(p.Value, "ExceptionList")
+		// OutBoundNAT must with ExceptionList, so don't need to judge jsonparser.NotExist
+		if dt == jsonparser.Array {
+			buf := bytes.Buffer{}
+			buf.WriteString(`{"Type": "OutBoundNAT", "ExceptionList": [`)
+
+			jsonparser.ArrayEach(exceptionListValue, func(value []byte, dataType jsonparser.ValueType, offset int, err error) {
+				if dataType == jsonparser.String && len(value) != 0 {
+					if bytes.Compare(value, nwToNatBytes) != 0 {
+						buf.WriteByte('"')
+						buf.Write(value)
+						buf.WriteByte('"')
+						buf.WriteByte(',')
+					}
+				}
+			})
+
+			buf.WriteString(`"` + nwToNat + `"]}`)
+
+			n.Policies[i] = policy{
+				Name:  "EndpointPolicy",
+				Value: buf.Bytes(),
+			}
+		} else {
+			n.Policies[i] = policy{
+				Name:  "EndpointPolicy",
+				Value: []byte(`{"Type": "OutBoundNAT", "ExceptionList": ["` + nwToNat + `"]}`),
+			}
+		}
+
+		return
+	}
+
+	// didn't find the policyArg, add it
+	n.Policies = append(n.Policies, policy{
+		Name:  "EndpointPolicy",
+		Value: []byte(`{"Type": "OutBoundNAT", "ExceptionList": ["` + nwToNat + `"]}`),
+	})
+}
+
+// ApplyDefaultPAPolicy is used to configure a endpoint PA policy in HNS
+func (n *NetConf) ApplyDefaultPAPolicy(paAddress string) {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	// if its already present, leave untouched
+	for i, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		paValue, dt, _, _ := jsonparser.Get(p.Value, "PA")
+		if dt == jsonparser.NotExist {
+			continue
+		} else if dt == jsonparser.String && len(paValue) != 0 {
+			// found it, don't override
+			return
+		}
+
+		n.Policies[i] = policy{
+			Name:  "EndpointPolicy",
+			Value: []byte(`{"Type": "PA", "PA": "` + paAddress + `"}`),
+		}
+		return
+	}
+
+	// didn't find the policyArg, add it
+	n.Policies = append(n.Policies, policy{
+		Name:  "EndpointPolicy",
+		Value: []byte(`{"Type": "PA", "PA": "` + paAddress + `"}`),
+	})
+}

pkg/hns/netconf_suite_test.go

@@ -0,0 +1,26 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package hns
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestHns(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "HNS NetConf Suite")
+}

pkg/hns/netconf_test.go

@@ -0,0 +1,189 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package hns
+
+import (
+	"encoding/json"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("HNS NetConf", func() {
+	Describe("ApplyOutBoundNATPolicy", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				// apply it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(1))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("appends exceptions to the existing policy", func() {
+				// first set it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				// then attempt to update it
+				n.ApplyOutboundNatPolicy("10.244.0.0/16")
+
+				// it should be unchanged!
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				var value map[string]interface{}
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(2))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+				Expect(exceptionList[1].(string)).Should(Equal("10.244.0.0/16"))
+			})
+		})
+	})
+
+	Describe("ApplyDefaultPAPolicy", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				n := NetConf{}
+				n.ApplyDefaultPAPolicy("192.168.0.1")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value["Type"]).Should(Equal("PA"))
+
+				paAddress := value["PA"].(string)
+				Expect(paAddress).Should(Equal("192.168.0.1"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("does not override", func() {
+				n := NetConf{}
+				n.ApplyDefaultPAPolicy("192.168.0.1")
+				n.ApplyDefaultPAPolicy("192.168.0.2")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value["Type"]).Should(Equal("PA"))
+
+				paAddress := value["PA"].(string)
+				Expect(paAddress).Should(Equal("192.168.0.1"))
+				Expect(paAddress).ShouldNot(Equal("192.168.0.2"))
+			})
+		})
+	})
+
+	Describe("MarshalPolicies", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				n := NetConf{
+					Policies: []policy{
+						{
+							Name:  "EndpointPolicy",
+							Value: []byte(`{"someKey": "someValue"}`),
+						},
+						{
+							Name:  "someOtherType",
+							Value: []byte(`{"someOtherKey": "someOtherValue"}`),
+						},
+					},
+				}
+
+				result := n.MarshalPolicies()
+				Expect(len(result)).To(Equal(1))
+
+				policy := make(map[string]interface{})
+				err := json.Unmarshal(result[0], &policy)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(policy).Should(HaveKey("someKey"))
+				Expect(policy["someKey"]).To(Equal("someValue"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("appends exceptions to the existing policy", func() {
+				// first set it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				// then attempt to update it
+				n.ApplyOutboundNatPolicy("10.244.0.0/16")
+
+				// it should be unchanged!
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				var value map[string]interface{}
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(2))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+				Expect(exceptionList[1].(string)).Should(Equal("10.244.0.0/16"))
+			})
+		})
+	})
+})