Add support for networking inside bocker containers

README.md

@@ -17,32 +17,39 @@ The following packages are needed to run bocker.
 
 Because most distributions do not ship a new enough version of util-linux you will probably need grab the sources from [here](https://www.kernel.org/pub/linux/utils/util-linux/v2.25/) and compile it yourself.
 
-Additionally `/var/bocker` needs to be on a btrfs filesystem.
+Additionally your system will need to be configured with the following.
+
+* A btrfs filesystem mounted under `/var/bocker`
+* A network bridge called `bridge0` and an IP of 10.0.0.1/24
+* IP forwarding enabled in `/proc/sys/net/ipv4/ip_forward`
+* A firewall routing traffic from `bridge0` to a physical interface.
 
 For ease of use a Vagrantfile is included which will build the needed environment.
 
+Even if you meet the above prerequisites you probably still want to **run bocker in a virtual machine**. Bocker runs as root and among other things needs to make changes to your network interfaces, routing table, and firewall rules. **I can make no guarantees that it wont trash your system**.
+
 ## Example Usage
 
 ```
-$ ./bocker init base-image/
+$ bocker init base-image/
-img_e6b698c1-513d-4a40-807c-23b0fe54353a
+img_74432
 
-$ ./bocker images
+$ bocker images
 IMAGE_ID
-img_e6b698c1-513d-4a40-807c-23b0fe54353a
+img_74432
 
-$ ./bocker run img_e6b698c1-513d-4a40-807c-23b0fe54353a uname -sro
+$ bocker run img_74432 uname -sro
 Linux 3.10.0-123.20.1.el7.x86_64 GNU/Linux
 
-$ ./bocker ps
+$ bocker ps
-CONTAINER_ID					            COMMAND
+CONTAINER_ID       COMMAND
-ps_349bf646-06cf-4d98-bcf8-744f59e7e6bb		uname -sro
+ps_43529           uname -sro
 
-$ ./bocker rm ps_349bf646-06cf-4d98-bcf8-744f59e7e6bb
+$ bocker rm ps_43529
-ps_349bf646-06cf-4d98-bcf8-744f59e7e6bb
+ps_43529
 
-$ ./bocker rm img_e6b698c1-513d-4a40-807c-23b0fe54353a
+$ bocker rm img_74432
-img_e6b698c1-513d-4a40-807c-23b0fe54353a
+img_74432
 ```
 
 ## Functionality: Currently Implemented
@@ -52,12 +59,13 @@ img_e6b698c1-513d-4a40-807c-23b0fe54353a
 * `docker ps`
 * `docker run`
 * `docker rm` / `docker rmi`
+* Networking
 
 † `bocker init` provides a very limited implemetation of `docker build`
 
 ## Functionality: Not Yet Implemented
 
-* Networking
+* DNS
 * Port Forwarding
 * Data Volumes
 * Data Volume Containers

Vagrantfile

@@ -10,8 +10,8 @@ mount -o loop ~/btrfs.img /var/bocker
 
 pip install git+https://github.com/larsks/undocker
 systemctl start docker.service
-docker pull busybox
+docker pull centos
-docker save busybox | undocker -o base-image
+docker save centos | undocker -o base-image
 
 git clone https://github.com/karelzak/util-linux.git
 cd util-linux
@@ -23,6 +23,15 @@ mv unshare /usr/bin/unshare
 cd ..
 
 ln -s /vagrant/bocker /usr/bin/bocker
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables --flush
+iptables -t nat -A POSTROUTING -o bridge0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
+
+ip link add bridge0 type bridge
+ip addr add 10.0.0.1/24 dev bridge0
+ip link set bridge0 up
 ) 2>&1
 SCRIPT
 

bocker

@@ -1,9 +1,8 @@
 #!/usr/bin/env bash
 set -o errexit -o nounset -o pipefail; shopt -s nullglob
 
-btrfs_path='/var/bocker';
+btrfs_path='/var/bocker'; basename=$(which basename); btrfs=$(which btrfs);
-basename=$(which basename);	btrfs=$(which btrfs);	cat=$(which cat);
+cat=$(which cat);         unshare=$(which unshare);   chroot=$(which chroot)
-unshare=$(which unshare);	umount=$(which umount);	chroot=$(which chroot)
 
 function CHECK_VOLUME() {
 if $btrfs subvolume list "$btrfs_path" | grep -qw "$1"; then
@@ -16,7 +15,7 @@ fi
 
 function INIT() {
 if [[ -d "$1" ]]; then
-	uuid="img_$(uuidgen)"
+	uuid="img_$(shuf -i 10000-99999 -n 1)"
 	$btrfs subvolume create "$btrfs_path/$uuid" > /dev/null
 	cp -rf --reflink=auto "$1"/* "$btrfs_path/$uuid" > /dev/null
 	echo "$uuid"
@@ -47,13 +46,23 @@ done
 
 function RUN() {
 CHECK_VOLUME "$1"
-uuid="ps_$(uuidgen)"
+uuid="ps_$(shuf -i 10000-99999 -n 1)"
+ip link add dev veth0_"$uuid" type veth peer name veth1_"$uuid"
+ip link set dev veth0_"$uuid" up
+ip link set veth0_"$uuid" master bridge0
+ip netns add netns_"$uuid"
+ip link set veth1_"$uuid" netns netns_"$uuid"
+ip netns exec netns_"$uuid" ip link set dev lo up
+ip netns exec netns_"$uuid" ip addr add 10.0.0.2/24 dev veth1_"$uuid"
+ip netns exec netns_"$uuid" ip link set dev veth1_"$uuid" up
+ip netns exec netns_"$uuid" ip route add default via 10.0.0.1
 $btrfs subvolume snapshot "$btrfs_path/$1" "$btrfs_path/$uuid" > /dev/null
 echo "$2" > "$btrfs_path/$uuid/$uuid.cmd"
-"$unshare" -fp --mount-proc "$chroot" "$btrfs_path/$uuid" \
+ip netns exec netns_"$uuid" "$unshare" -fp --mount-proc "$chroot" \
-	/bin/sh -c "/bin/mount -t proc proc /proc && /bin/$2" \
+	"$btrfs_path/$uuid" /bin/sh -c "/bin/mount -t proc proc /proc && $2" \
-	2>&1 | tee "$btrfs_path/$uuid/$uuid.log"
+	2>&1 | tee "$btrfs_path/$uuid/$uuid.log" || true
-$umount "$btrfs_path/$uuid/proc"
+ip link del dev veth0_"$uuid"
+ip netns del netns_"$uuid"
 }
 
 function LOGS() {