You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -202,7 +205,7 @@ The runtime must execute the plugin in the runtime's networking domain. (For mos
202
205
203
206
Protocol parameters are passed to the plugins via OS environment variables.
204
207
205
-
-`CNI_COMMAND`: indicates the desired operation; `ADD`, `DEL`, `CHECK`, or `VERSION`.
208
+
-`CNI_COMMAND`: indicates the desired operation; `ADD`, `DEL`, `CHECK`, `GC`, or `VERSION`.
206
209
-`CNI_CONTAINERID`: Container ID. A unique plaintext identifier for a container, allocated by the runtime. Must not be empty. Must start with an alphanumeric character, optionally followed by any combination of one or more alphanumeric characters, underscore (), dot (.) or hyphen (-).
207
210
-`CNI_NETNS`: A reference to the container's "isolation domain". If using network namespaces, then a path to the network namespace (e.g. `/run/netns/[nsname]`)
208
211
-`CNI_IFNAME`: Name of the interface to create inside the container; if the plugin is unable to use this interface name it must return an error.
@@ -214,7 +217,7 @@ A plugin must exit with a return code of 0 on success, and non-zero on failure.
214
217
215
218
### CNI operations
216
219
217
-
CNI defines 4 operations: `ADD`, `DEL`, `CHECK`, and `VERSION`. These are passed to the plugin via the `CNI_COMMAND` environment variable.
220
+
CNI defines 5 operations: `ADD`, `DEL`, `CHECK`, `GC`, and `VERSION`. These are passed to the plugin via the `CNI_COMMAND` environment variable.
218
221
219
222
#### `ADD`: Add container to network, or apply modifications
220
223
@@ -321,6 +324,38 @@ A json-serialized object, with the following key:
321
324
Required environment parameters:
322
325
-`CNI_COMMAND`
323
326
327
+
#### `GC`: Clean up any stale resources
328
+
329
+
The GC comand provides a way for runtimes to specify the expected set of attachments to a network.
330
+
The network plugin may then remove any resources related to attachments that do not exist in this set.
331
+
332
+
Resources may, for example, include:
333
+
- IPAM reservations
334
+
- Firewall rules
335
+
336
+
A plugin SHOULD remove as many stale resources as possible. For example, a plugin should remove any IPAM reservations associated with attachments not in the provided list. The plugin MAY assume that the isolation domain (e.g. network namespace) has been deleted, and thus any resources (e.g. network interfaces) therein have been removed.
337
+
338
+
Plugins should generally complete a `GC` action without error. If an error is encountered, a plugin should continue; removing as many resources as possible, and report the errors back to the runtime.
339
+
340
+
Plugins MUST, additionally, forward any GC calls to delegated plugins they are configured to use (see section 4).
341
+
342
+
The runtime MUST NOT use GC as a substitute for DEL. Plugins may be unable to clean up some resources from GC that they would have been able to clean up from DEL.
343
+
344
+
**Input:**
345
+
346
+
The runtime must provide a JSON-serialized plugin configuration object (defined below) on standard in. It contains an additional key;
347
+
348
+
-`cni.dev/attachments` (array of objects): The list of **still valid** attachments to this network:
349
+
-`containerID` (string): the value of CNI_CONTAINERID as provided during the CNI ADD operation
350
+
-`ifname` (string): the value of CNI_IFNAME as provided during the CNI ADD operation
351
+
352
+
Required environment parameters:
353
+
-`CNI_COMMAND`
354
+
-`CNI_PATH`
355
+
356
+
**Output:**
357
+
No output on success, ["error" result structure](#Error) on error.
358
+
324
359
325
360
## Section 3: Execution of Network Configurations
326
361
@@ -332,6 +367,7 @@ The operation of a network configuration on a container is called an _attachment
332
367
333
368
- The container runtime must create a new network namespace for the container before invoking any plugins.
334
369
- The container runtime must not invoke parallel operations for the same container, but is allowed to invoke parallel operations for different containers. This includes across multiple attachments.
370
+
-**Exception**: The runtime must exclusively execute either _gc_ or _add_ and _delete_. The runtime must ensure that no _add_ or _delete_ operations are in progress before executing _gc_, and must wait for _gc_ to complete before issuing new _add_ or _delete_ commands.
335
371
- Plugins must handle being executed concurrently across different containers. If necessary, they must implement locking on shared resources (e.g. IPAM databases).
336
372
- The container runtime must ensure that _add_ is eventually followed by a corresponding _delete_. The only exception is in the event of catastrophic failure, such as node loss. A _delete_ must still be executed even if the _add_ fails.
337
373
-_delete_ may be followed by additional _deletes_.
@@ -389,21 +425,38 @@ For every plugin defined in the `plugins` key of the network configuration,
389
425
390
426
If all plugins return success, return success to the caller.
391
427
392
-
### Deriving execution configuration from plugin configuration
428
+
### Garbage-collecting a network
429
+
The runtime may also ask every plugin in a network configuration to clean up any stale resources via the _GC_ command.
430
+
431
+
When garbage-collecting a configuration, there are no [Attachment Parameters](#attachment-parameters).
432
+
433
+
For every plugin defined in the `plugins` key of the network configuration,
434
+
1. Look up the executable specified in the `type` field. If this does not exist, then this is an error.
435
+
2. Derive request configuration from the plugin configuration.
436
+
3. Execute the plugin binary, with `CNI_COMMAND=GC`. Supply the derived configuration via standard in.
437
+
4. If the plugin returns an error, **continue** with execution, returning all errors to the caller.
438
+
439
+
If all plugins return success, return success to the caller.
440
+
441
+
### Deriving request configuration from plugin configuration
393
442
The network configuration format (which is a list of plugin configurations to execute) must be transformed to a format understood by the plugin (which is a single plugin configuration). This section describes that transformation.
394
443
395
-
The execution configuration for a single plugin invocation is also JSON. It consists of the plugin configuration, primarily unchanged except for the specified additions and removals.
444
+
The request configuration for a single plugin invocation is also JSON. It consists of the plugin configuration, primarily unchanged except for the specified additions and removals.
396
445
397
-
The following fields must be inserted into the execution configuration by the runtime:
446
+
The following fields are always to be inserted into the request configuration by the runtime:
398
447
-`cniVersion`: taken from the `cniVersion` field of the network configuration
399
448
-`name`: taken from the `name` field of the network configuration
400
-
-`runtimeConfig`: A JSON object, consisting of the union of capabilities provided by the plugin and requested by the runtime (more details below)
401
-
-`prevResult`: A JSON object, consisting of the result type returned by the "previous" plugin. The meaning of "previous" is defined by the specific operation (_add_, _delete_, or _check_).
402
449
403
-
The following fields must be **removed** by the runtime:
404
-
-`capabilities`
405
450
406
-
All other fields should be passed through unaltered.
451
+
For attachment-specific operations (ADD, DEL, CHECK), additional field requirements apply:
452
+
-`runtimeConfig`: the runtime must insert an object consisting of the union of capabilities provided by the plugin and requested by the runtime (more details below).
453
+
-`prevResult`: the runtime must insert consisting of the result type returned by the "previous" plugin. The meaning of "previous" is defined by the specific operation (_add_, _delete_, or _check_). This field must not be set for the first _add_ in a chain.
454
+
-`capabilities`: must not be set
455
+
456
+
For GC operations:
457
+
-`cni.dev/attachments`: as specified in section 2.
458
+
459
+
All other fields not prefixed with `cni.dev/` should be passed through unaltered.
407
460
408
461
#### Deriving `runtimeConfig`
409
462
@@ -459,21 +512,15 @@ When a plugin executes a delegated plugin, it should:
459
512
- Execute that plugin with the same environment and configuration that it received.
460
513
- Ensure that the delegated plugin's stderr is output to the calling plugin's stderr.
461
514
462
-
If a plugin is executed with `CNI_COMMAND=CHECK`or `DEL`, it must also execute any delegated plugins. If any of the delegated plugins return error, error should be returned by the upper plugin.
515
+
If a plugin is executed with `CNI_COMMAND=CHECK`, `DEL`, or `GC`, it must also execute any delegated plugins. If any of the delegated plugins return error, error should be returned by the upper plugin.
463
516
464
517
If, on `ADD`, a delegated plugin fails, the "upper" plugin should execute again with `DEL` before returning failure.
465
518
466
519
## Section 5: Result Types
467
520
468
-
Plugins can return one of three result types:
521
+
For certain operations, plugins must output result information. The output should be serialized as JSON on standard out.
469
522
470
-
-_Success_ (or _Abbreviated Success_)
471
-
-_Error_
472
-
-_Version_
473
-
474
-
### Success
475
-
476
-
Plugins provided a `prevResult` key as part of their request configuration must output it as their result, with any possible modifications made by that plugin included. If a plugin makes no changes that would be reflected in the _Success result_ type, then it must output a result equivalent to the provided `prevResult`.
523
+
### ADD Success
477
524
478
525
Plugins must output a JSON object with the following keys upon a successful `ADD` operation:
479
526
@@ -495,12 +542,29 @@ Plugins must output a JSON object with the following keys upon a successful `ADD
495
542
-`search` (list of strings): list of priority ordered search domains for short hostname lookups. Will be preferred over `domain` by most resolvers.
496
543
-`options` (list of strings): list of options that can be passed to the resolver.
497
544
545
+
Plugins provided a `prevResult` key as part of their request configuration must output it as their result, with any possible modifications made by that plugin included. If a plugin makes no changes that would be reflected in the _Success result_ type, then it must output a result equivalent to the provided `prevResult`.
546
+
498
547
#### Delegated plugins (IPAM)
499
548
Delegated plugins may omit irrelevant sections.
500
549
501
550
Delegated IPAM plugins must return an abbreviated _Success_ object. Specifically, it is missing the `interfaces` array, as well as the `interface` entry in `ips`.
502
551
503
552
553
+
### VERSION Success
554
+
555
+
Plugins must output a JSON object with the following keys upon a `VERSION` operation:
556
+
557
+
-`cniVersion`: The value of `cniVersion` specified on input
558
+
-`supportedVersions`: A list of supported specification versions
0 commit comments