def _ensure_host_tunnel_addr(ipv4_pools, ipip_pools): """ Ensure the host has a valid IP address for its IPIP tunnel device. This must be an IP address claimed from one of the IPIP pools. Handles re-allocating the address if it finds an existing address that is not from an IPIP pool. :param ipv4_pools: List of all IPv4 pools. :param ipip_pools: List of IPIP-enabled pools. """ ip_addr = _get_host_tunnel_ip() if ip_addr: # Host already has a tunnel IP assigned, verify that it's still valid. pool = _find_pool(ip_addr, ipv4_pools) if pool and not pool.ipip: # No longer an IPIP pool. Release the IP, it's no good to us. client.release_ips({ip_addr}) ip_addr = None elif not pool: # Not in any IPIP pool. IP must be stale. Since it's not in any # pool, we can't release it. ip_addr = None if not ip_addr: # Either there was no IP or the IP needs to be replaced. Try to # get an IP from one of the IPIP-enabled pools. _assign_host_tunnel_addr(ipip_pools)
def node_remove(remove_endpoints, host): """ Remove a node from the Calico network. :param remove_endpoints: Whether the endpoint data should be forcibly removed. :param host: The hostname of the host whose node will be removed, or None if removing this host's node. :return: None. """ host_to_remove = host or hostname if host_to_remove == hostname and ( _container_running("calico-node") or _container_running("calico-libnetwork")): print_paragraph("The node cannot be removed while it is running. " "Please run 'calicoctl node stop' to stop the node " "before removing it.") sys.exit(1) endpoints = client.get_endpoints(hostname=host_to_remove) if endpoints and not remove_endpoints: print_paragraph("The node has active Calico endpoints so can't be " "deleted. Force with --remove-endpoints") print_paragraph("Note that forcible removing the node may leave some " "workloads in an indeterminate networked state. If " "this is in error, you may restart the node using the " "'calicoctl node' command and clean up the workloads " "in the normal way.") sys.exit(1) # Remove the veths, and release all IPs associated with the endpoints. To # release the IPs, we construct a set of all IP addresses across all # endpoints (this assumes the endpoint nets are all single IPs). ips = set() for endpoint in endpoints: remove_veth(endpoint.name) ips |= {net.ip for net in endpoint.ipv4_nets} ips |= {net.ip for net in endpoint.ipv6_nets} client.release_ips(ips) # Remove the IPAM host data. client.remove_ipam_host(host_to_remove) # If the host had an IPIP tunnel address, release it back to the IPAM pool # so that we don't leak it when we delete the config. raw_addr = client.get_per_host_config(host_to_remove, "IpInIpTunnelAddr") try: ip_addr = IPAddress(raw_addr) client.release_ips({ip_addr}) except (AddrFormatError, ValueError, TypeError): pass client.remove_per_host_config(host_to_remove, "IpInIpTunnelAddr") client.remove_host(host_to_remove) print "Node configuration removed"
def node_remove(remove_endpoints, host): """ Remove a node from the Calico network. :param remove_endpoints: Whether the endpoint data should be forcibly removed. :param host: The hostname of the host whose node will be removed, or None if removing this host's node. :return: None. """ host_to_remove = host or hostname if host_to_remove == hostname and (_container_running("calico-node") or _container_running("calico-libnetwork")): print_paragraph("The node cannot be removed while it is running. " "Please run 'calicoctl node stop' to stop the node " "before removing it.") sys.exit(1) endpoints = client.get_endpoints(hostname=host_to_remove) if endpoints and not remove_endpoints: print_paragraph("The node has active Calico endpoints so can't be " "deleted. Force with --remove-endpoints") print_paragraph("Note that forcible removing the node may leave some " "workloads in an indeterminate networked state. If " "this is in error, you may restart the node using the " "'calicoctl node' command and clean up the workloads " "in the normal way.") sys.exit(1) # Remove the veths, and release all IPs associated with the endpoints. To # release the IPs, we construct a set of all IP addresses across all # endpoints (this assumes the endpoint nets are all single IPs). ips = set() for endpoint in endpoints: remove_veth(endpoint.name) ips |= {net.ip for net in endpoint.ipv4_nets} ips |= {net.ip for net in endpoint.ipv6_nets} client.release_ips(ips) # Remove the IPAM host data. client.remove_ipam_host(host_to_remove) # If the host had an IPIP tunnel address, release it back to the IPAM pool # so that we don't leak it when we delete the config. raw_addr = client.get_per_host_config(host_to_remove, "IpInIpTunnelAddr") try: ip_addr = IPAddress(raw_addr) client.release_ips({ip_addr}) except (AddrFormatError, ValueError, TypeError): pass client.remove_per_host_config(host_to_remove, "IpInIpTunnelAddr") client.remove_host(host_to_remove) print "Node configuration removed"
def _remove_host_tunnel_addr(): """ Remove any existing IP address for this host's IPIP tunnel device. Idempotent; does nothing if there is no IP assigned. Releases the IP from IPAM. """ ip_addr = _get_host_tunnel_ip() if ip_addr: client.release_ips({ip_addr}) client.remove_per_host_config(hostname, "IpInIpTunnelAddr")
def container_remove(container_id): """ Remove a container (on this host) from Calico networking. The container may be left in a state without any working networking. If there is a network adaptor in the host namespace used by the container then it is removed. :param container_id: The namespace path or the ID of the container. """ # The netns manipulations must be done as root. enforce_root() # Resolve the name to ID. if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups orchestrator_id = NAMESPACE_ORCHESTRATOR_ID endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=escape_etcd(container_id)) else: # We know we're using "docker" as the orchestrator. If we have a direct # hit on the container id then we can proceed. Otherwise, ask docker to # try converting the name/id fragment into a full ID. orchestrator_id = DOCKER_ORCHESTRATOR_ID endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=container_id) if not endpoints: container_id = get_workload_id(container_id) endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=container_id) for endpoint in endpoints: # Remove any IP address assignments that this endpoint has client.release_ips( set(map(IPAddress, endpoint.ipv4_nets | endpoint.ipv6_nets))) try: # Remove the interface if it exists netns.remove_veth(endpoint.name) except CalledProcessError: print "Could not remove Calico interface %s" % endpoint.name # Always try to remove the workload, even if we didn't find any # endpoints. try: client.remove_workload(hostname, orchestrator_id, container_id) print "Removed Calico from %s" % container_id except KeyError: print "Failed find Calico data for %s" % container_id
def get_ip_and_pool(ip_or_pool): """ Return the IP address and associated pool to use when creating a container. :param ip_or_pool: (string) The requested IP address, pool CIDR, or special values "ipv4" and "ipv6". When an IP address is specified, that IP address is used. When a pool CIDR is specified, an IP address is allocated from that pool. IF either "ipv6" or "ipv6" are specified, then an IP address is allocated from an arbitrary IPv4 or IPv6 pool respectively. :return: A tuple of (IPAddress, IPPool) """ if ip_or_pool.lower() in ("ipv4", "ipv6"): # Requested to auto-assign an IP address if ip_or_pool[-1] == '4': result = assign_any(1, 0) ip = result[0][0] else: result = assign_any(0, 1) ip = result[1][0] # We can't get the pool until we have the IP address. If we fail to # get the pool (very small timing window if another client deletes the # pool) we must release the IP. try: pool = get_pool_or_exit(ip) except SystemExit: client.release_ips({ip}) raise elif ip_or_pool is not None and '/' in ip_or_pool: # Requested to assign an IP address from a specified pool. cidr = IPNetwork(ip_or_pool) pool = get_pool_by_cidr_or_exit(cidr) if cidr.version == 4: result = assign_any(1, 0, pool=(pool, None)) ip = result[0][0] else: result = assign_any(0, 1, pool=(None, pool)) ip = result[1][0] else: # Requested a specific IP address to use. ip = IPAddress(ip_or_pool) pool = get_pool_or_exit(ip) # Assign the IP try: client.assign_ip(ip, None, {}) except AlreadyAssignedError: print_paragraph("IP address is already assigned in pool " "%s." % pool) sys.exit(1) return (ip, pool)
def container_remove(container_id): """ Remove a container (on this host) from Calico networking. The container may be left in a state without any working networking. If there is a network adaptor in the host namespace used by the container then it is removed. :param container_id: The namespace path or the ID of the container. """ # The netns manipulations must be done as root. enforce_root() # Resolve the name to ID. if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups orchestrator_id = NAMESPACE_ORCHESTRATOR_ID endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=escape_etcd(container_id)) else: # We know we're using "docker" as the orchestrator. If we have a direct # hit on the container id then we can proceed. Otherwise, ask docker to # try converting the name/id fragment into a full ID. orchestrator_id = DOCKER_ORCHESTRATOR_ID endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=container_id) if not endpoints: container_id = get_workload_id(container_id) endpoints = client.get_endpoints(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=container_id) for endpoint in endpoints: # Remove any IP address assignments that this endpoint has client.release_ips(set(map(IPAddress, endpoint.ipv4_nets | endpoint.ipv6_nets))) try: # Remove the interface if it exists netns.remove_veth(endpoint.name) except CalledProcessError: print "Could not remove Calico interface %s" % endpoint.name # Always try to remove the workload, even if we didn't find any # endpoints. try: client.remove_workload(hostname, orchestrator_id, container_id) print "Removed Calico from %s" % container_id except KeyError: print "Failed find Calico data for %s" % container_id
def container_remove(container_id): """ Remove a container (on this host) from Calico networking. The container may be left in a state without any working networking. If there is a network adaptor in the host namespace used by the container then it is removed. :param container_id: The namespace path or the ID of the container. """ # The netns manipulations must be done as root. enforce_root() # Resolve the name to ID. if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID else: workload_id = get_workload_id(container_id) orchestrator_id = DOCKER_ORCHESTRATOR_ID # Find the endpoint ID. We need this to find any ACL rules try: endpoint = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) except KeyError: print "Container %s doesn't contain any endpoints" % container_id sys.exit(1) # Remove any IP address assignments that this endpoint has for net in endpoint.ipv4_nets | endpoint.ipv6_nets: assert(net.size == 1) ip = net.ip pools = client.get_ip_pools(ip.version) for pool in pools: if ip in pool: # Ignore failure to release_ips, since we're not # enforcing assignments strictly in datastore.py. client.release_ips({ip}) try: # Remove the interface if it exists netns.remove_veth(endpoint.name) except CalledProcessError: print "Could not remove Calico interface %s" % endpoint.name sys.exit(1) # Remove the container from the datastore. client.remove_workload(hostname, orchestrator_id, workload_id) print "Removed Calico interface from %s" % container_id
def release(ip): """ Release an IP address :param ip: The IP address (as a string). """ address = IPAddress(ip) if client.release_ips({address}): print "Failed to release address" else: print "Address successfully released"
def container_add(container_id, ip, interface): """ Add a container (on this host) to Calico networking with the given IP. :param container_id: The namespace path or the docker name/ID of the container. :param ip: An IPAddress object with the desired IP to assign. :param interface: The name of the interface in the container. """ # The netns manipulations must be done as root. enforce_root() # TODO: This section is redundant in container_add_ip and elsewhere if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID namespace = netns.Namespace(container_id) else: info = get_container_info_or_exit(container_id) workload_id = info["Id"] orchestrator_id = DOCKER_ORCHESTRATOR_ID namespace = netns.PidNamespace(info["State"]["Pid"]) # Check the container is actually running. if not info["State"]["Running"]: print_paragraph("%s is not currently running." % container_id) sys.exit(1) # We can't set up Calico if the container shares the host namespace. if info["HostConfig"]["NetworkMode"] == "host": print_paragraph("Can't add %s to Calico because it is " "running NetworkMode = host." % container_id) sys.exit(1) # Check if the container already exists try: _ = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) except KeyError: # Calico doesn't know about this container. Continue. pass else: # Calico already set up networking for this container. Since we got # called with an IP address, we shouldn't just silently exit, since # that would confuse the user: the container would not be reachable on # that IP address. print_paragraph("%s has already been configured with Calico " "Networking." % container_id) sys.exit(1) ip, pool = get_ip_and_pool(ip) try: # The next hop IPs for this host are stored in etcd. next_hops = client.get_default_next_hops(hostname) next_hops[ip.version] except KeyError: print_paragraph("This node is not configured for IPv%d. " "Is calico-node running?" % ip.version) unallocated_ips = client.release_ips({ip}) if unallocated_ips: print_paragraph("Error during cleanup. %s was already" "unallocated." % ip) sys.exit(1) # Get the next hop for the IP address. next_hop = next_hops[ip.version] network = IPNetwork(IPAddress(ip)) ep = Endpoint(hostname=hostname, orchestrator_id=DOCKER_ORCHESTRATOR_ID, workload_id=workload_id, endpoint_id=uuid.uuid1().hex, state="active", mac=None) if network.version == 4: ep.ipv4_nets.add(network) ep.ipv4_gateway = next_hop else: ep.ipv6_nets.add(network) ep.ipv6_gateway = next_hop # Create the veth, move into the container namespace, add the IP and # set up the default routes. netns.increment_metrics(namespace) netns.create_veth(ep.name, ep.temp_interface_name) netns.move_veth_into_ns(namespace, ep.temp_interface_name, interface) netns.add_ip_to_ns_veth(namespace, ip, interface) netns.add_ns_default_route(namespace, next_hop, interface) # Grab the MAC assigned to the veth in the namespace. ep.mac = netns.get_ns_veth_mac(namespace, interface) # Register the endpoint with Felix. client.set_endpoint(ep) # Let the caller know what endpoint was created. print_paragraph("IP %s added to %s" % (str(ip), container_id)) return ep
def container_ip_remove(container_id, ip, interface): """ Add an IP address to an existing Calico networked container. :param container_id: The namespace path or container_id of the container. :param ip: The IP to add :param interface: The name of the interface in the container. :return: None """ address = IPAddress(ip) # The netns manipulations must be done as root. enforce_root() pool = get_pool_or_exit(address) if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) namespace = netns.Namespace(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID else: info = get_container_info_or_exit(container_id) workload_id = info["Id"] namespace = netns.PidNamespace(info["State"]["Pid"]) orchestrator_id = DOCKER_ORCHESTRATOR_ID # Check the container is actually running. if not info["State"]["Running"]: print "%s is not currently running." % container_id sys.exit(1) # Check that the container is already networked try: endpoint = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) if address.version == 4: nets = endpoint.ipv4_nets else: nets = endpoint.ipv6_nets if not IPNetwork(address) in nets: print "IP address is not assigned to container. Aborting." sys.exit(1) except KeyError: print "Container is unknown to Calico." sys.exit(1) try: nets.remove(IPNetwork(address)) client.update_endpoint(endpoint) except (KeyError, ValueError): print "Error updating datastore. Aborting." sys.exit(1) try: netns.remove_ip_from_ns_veth(namespace, address, interface) except CalledProcessError: print "Error updating networking in container. Aborting." sys.exit(1) client.release_ips({address}) print "IP %s removed from %s" % (ip, container_id)
def container_ip_add(container_id, ip, interface): """ Add an IP address to an existing Calico networked container. :param container_id: The namespace path or container_id of the container. :param ip: The IP to add :param interface: The name of the interface in the container. :return: None """ # The netns manipulations must be done as root. enforce_root() if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) namespace = netns.Namespace(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID else: info = get_container_info_or_exit(container_id) workload_id = info["Id"] namespace = netns.PidNamespace(info["State"]["Pid"]) orchestrator_id = DOCKER_ORCHESTRATOR_ID # Check the container is actually running. if not info["State"]["Running"]: print "%s is not currently running." % container_id sys.exit(1) # Check that the container is already networked try: endpoint = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) except KeyError: print "Failed to add IP address to container.\n" print_container_not_in_calico_msg(container_id) sys.exit(1) # From here, this method starts having side effects. If something # fails then at least try to leave the system in a clean state. address, pool = get_ip_and_pool(ip) try: if address.version == 4: endpoint.ipv4_nets.add(IPNetwork(address)) else: endpoint.ipv6_nets.add(IPNetwork(address)) client.update_endpoint(endpoint) except (KeyError, ValueError): client.release_ips({address}) print "Error updating datastore. Aborting." sys.exit(1) try: netns.add_ip_to_ns_veth(namespace, address, interface) except CalledProcessError: print "Error updating networking in container. Aborting." if address.version == 4: endpoint.ipv4_nets.remove(IPNetwork(address)) else: endpoint.ipv6_nets.remove(IPNetwork(address)) client.update_endpoint(endpoint) client.release_ips({address}) sys.exit(1) print "IP %s added to %s" % (str(address), container_id)
def container_ip_add(container_id, ip, interface): """ Add an IP address to an existing Calico networked container. :param container_id: The namespace path or container_id of the container. :param ip: The IP to add :param interface: The name of the interface in the container. :return: None """ # The netns manipulations must be done as root. enforce_root() if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) namespace = netns.Namespace(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID else: info = get_container_info_or_exit(container_id) workload_id = info["Id"] namespace = netns.PidNamespace(info["State"]["Pid"]) orchestrator_id = DOCKER_ORCHESTRATOR_ID # Check the container is actually running. if not info["State"]["Running"]: print "%s is not currently running." % container_id sys.exit(1) # Check that the container is already networked try: endpoint = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) except KeyError: print "Failed to add IP address to container.\n" print_container_not_in_calico_msg(container_id) sys.exit(1) # From here, this method starts having side effects. If something # fails then at least try to leave the system in a clean state. address, pool = get_ip_and_pool(ip) try: if address.version == 4: endpoint.ipv4_nets.add(IPNetwork(address)) else: endpoint.ipv6_nets.add(IPNetwork(address)) client.update_endpoint(endpoint) except (KeyError, ValueError): client.release_ips({address}) print "Error updating datastore. Aborting." sys.exit(1) if not netns.ns_veth_exists(namespace, interface): print "Interface provided does not exist in container. Aborting." sys.exit(1) try: netns.add_ip_to_ns_veth(namespace, address, interface) except CalledProcessError: print "Error updating networking in container. Aborting." if address.version == 4: endpoint.ipv4_nets.remove(IPNetwork(address)) else: endpoint.ipv6_nets.remove(IPNetwork(address)) client.update_endpoint(endpoint) client.release_ips({address}) sys.exit(1) print "IP %s added to %s" % (str(address), container_id)
def container_add(container_id, ip, interface): """ Add a container (on this host) to Calico networking with the given IP. :param container_id: The namespace path or the docker name/ID of the container. :param ip: An IPAddress object with the desired IP to assign. :param interface: The name of the interface in the container. """ # The netns manipulations must be done as root. enforce_root() # TODO: This section is redundant in container_add_ip and elsewhere if container_id.startswith("/") and os.path.exists(container_id): # The ID is a path. Don't do any docker lookups workload_id = escape_etcd(container_id) orchestrator_id = NAMESPACE_ORCHESTRATOR_ID namespace = netns.Namespace(container_id) else: info = get_container_info_or_exit(container_id) workload_id = info["Id"] orchestrator_id = DOCKER_ORCHESTRATOR_ID namespace = netns.PidNamespace(info["State"]["Pid"]) # Check the container is actually running. if not info["State"]["Running"]: print "%s is not currently running." % container_id sys.exit(1) # We can't set up Calico if the container shares the host namespace. if info["HostConfig"]["NetworkMode"] == "host": print "Can't add %s to Calico because it is " \ "running NetworkMode = host." % container_id sys.exit(1) # Check if the container already exists try: _ = client.get_endpoint(hostname=hostname, orchestrator_id=orchestrator_id, workload_id=workload_id) except KeyError: # Calico doesn't know about this container. Continue. pass else: # Calico already set up networking for this container. Since we got # called with an IP address, we shouldn't just silently exit, since # that would confuse the user: the container would not be reachable on # that IP address. print "%s has already been configured with Calico Networking." % \ container_id sys.exit(1) ip, pool = get_ip_and_pool(ip) # The next hop IPs for this host are stored in etcd. next_hops = client.get_default_next_hops(hostname) try: next_hops[ip.version] except KeyError: print "This node is not configured for IPv%d." % ip.version unallocated_ips = client.release_ips({ip}) if unallocated_ips: print ("Error during cleanup. {0} was already unallocated." ).format(unallocated_ips) sys.exit(1) # Get the next hop for the IP address. next_hop = next_hops[ip.version] network = IPNetwork(IPAddress(ip)) ep = Endpoint(hostname=hostname, orchestrator_id=DOCKER_ORCHESTRATOR_ID, workload_id=workload_id, endpoint_id=uuid.uuid1().hex, state="active", mac=None) if network.version == 4: ep.ipv4_nets.add(network) ep.ipv4_gateway = next_hop else: ep.ipv6_nets.add(network) ep.ipv6_gateway = next_hop # Create the veth, move into the container namespace, add the IP and # set up the default routes. netns.create_veth(ep.name, ep.temp_interface_name) netns.move_veth_into_ns(namespace, ep.temp_interface_name, interface) netns.add_ip_to_ns_veth(namespace, ip, interface) netns.add_ns_default_route(namespace, next_hop, interface) # Grab the MAC assigned to the veth in the namespace. ep.mac = netns.get_ns_veth_mac(namespace, interface) # Register the endpoint with Felix. client.set_endpoint(ep) # Let the caller know what endpoint was created. print "IP %s added to %s" % (str(ip), container_id) return ep