// cc-oci-runtime/src/oci.c
/*!
* Create the state file, apply mounts and run hooks, but do not start the VM
*/
gboolean cc_oci_create(struct cc_oci_config *config)
(1)、依次调用cc_oci_config_file_parse(config),cc_oci_config_check(config),cc_oci_runtime_dir_setup(config)和cc_oci_handle_mounts(config)
(2)、当cc_pod_is_vm(config)为true时,调用cc_oci_vm_launch(config),否则调用cc_pod_container_create(config)
// cc-oci-runtime/src/process.c
/*!
* Start the hypervisor as a child process.
* Due to the way networking is handled in Docker, the logic here is unfortunately rather complex.
* param config ef cc_oci_config.
* eturn c true on success, else c false.
*/
gboolean cc_oci_vm_launch(struct cc_oci_config *config)
(1)、调用setup_networking = cc_oci_enable_networking(); --->仅仅只是确定是否是root,因为要创建interface
...
(2)、调用config->state.status = OCI_STATUS_CREATED;
/* The namespace setup occurs in the parent to ensure the hooks run successfully. The child will
* automatically inherit the namespaces.
*/
(3)、调用cc_oci_ns_setup(config)
/* Connect to the proxy before launching the shim so that the proxy socket fd can be passed to the shim*/
(4)、调用cc_proxy_connect(config->proxy)
/* Set up comms channels to the child:
* - one to pass the full list of expanded hypervisor arguments.
* - one to allow detection of successful child setup: if the child closes the pipe,
* it was successful, but if it writes data to the pipe, setup failed.
*/
(5)、调用pipe2(child_err_pipe, O_CLOEXEC)和pipe2(hypervisor_args_pipe, O_CLOEXEC)
(6)、fork()一个子进程,在子进程中最终运行cc_oci_setup_child(config)以及execvp(args[0], args)
....
/* Run the pre-start hooks.
* Note that one of these hooks will configure the networking in the network namespace.
* If a hook returns a non-zero exit code, then an error including the exit code and the stderr is
* returned to the caller and the container is torn down.
*/
(7)、hook_status = cc_run_hooks(config->oci.hooks.prestart, config->state.state_file_path, true)
// add network config bits to following functions:
// - cc_oci_container_state()
// - oci_state()
// - cc_oci_update_options()
(8)、如果setup_networking为true,则依次调用hndl = netlink_init(),cc_oci_vm_netcfg_get(config, hndl)和cc_oci_network_create(config, hndl)
.......
// cc-oci-runtime/src/netlink.c
/*!
* Setup the netlink socket to use with netlink transactions.This handle should be used for all netlink
* transactions for a given thread.
*/
struct netlink_handle *netlink_init(void)
初始化一个netlink_handle实例
// cc-oci-runtime/src/process.c
/*!
* Obtain the network configuration by quering the network namespace.
* param[in, out] config ef cc_oci_config.
* param hndl handle returned from a call to ef netlink_init().
*/
private gboolean cc_oci_vm_netcfg_get(struct cc_oci_config *config, struct netlink_handle *hndl)
仅仅调用cc_oci_network_discover(config, hndl)
// cc-oci-runtime/src/networking.c
/*!
* Obtain the networking configuration of the container
* Currently done by scanned the namespace
* Ideally the OCI spec should be modified such that
* these parameters are sent to the runtime
*/
gboolean cc_oci_network_discover(struct cc_oci_config *const config, struct netlink_handle *hndl)
...
(1)、调用getifaddrs(&ifaddrs) --> discover container interfaces
....
/*!
* Request to create the networking framework that will be used to
* connect the specified container network(veth) to the VM
*
* The container may be associated with multiple networks and function has to be invoked
* for each of those networks
* Once the OCI spec supports the creation of VM compatible tap interfaces in the network plugin
* this setup will not be required
*/
gboolean cc_oci_network_create(const struct cc_oci_config *const config, struct netlink_handle *const hndl)
/* Each container has its own namespace. Hence we use the same mac address prefix
* for tap interfaces on the host side. This method scales to support upto 2^16 networks
*/
遍历config->net.interfaces,
// cc-oci-runtime/src/namespace.c
/**
* Setup namespace.
* This should not strictly be required (since the runtime does not implement a "traditional linux" container).
* Howerver, namespace are used to pass network configuration to the runtime so the network namespace
* must be supported.
* param config ef cc_oci_config.
* eturn c true on success, else c false.
* odo Show the namespace path. For unshare, the strategy should be to call cc_oci_resolve_path (),
* passing it the value of ."/proc/self/ns/%s". The complication is that %s does *NOT* match the
* namespace names chosen by OCI, hence oci_ns_map will need to be extended to add a "gchar *proc_name" element
* ote in the case of error, check the value of errno immediately after this call to determine the reason.
*/
gooblean cc_oci_ns_setup(struct cc_oci_config *config)
从config中解析出network space的ns->path,并调用fd = open(ns->path, O_RDONLY),最后调用setns(fd, ns->type)加入该network namespace