podman: add support for specifying MAC

Makefile

@@ -522,6 +522,9 @@ vendor:
 		$(GO) mod vendor && \
 		$(GO) mod verify
 
+vendor-in-container:
+	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.12 make vendor
+
 .PHONY: \
 	.gopathok \
 	binaries \

cmd/podman/cliconfig/config.go

@@ -467,14 +467,15 @@ type RestartValues struct {
 
 type RestoreValues struct {
 	PodmanCommand
-	All            bool
-	Keep           bool
-	Latest         bool
-	TcpEstablished bool
-	Import         string
-	Name           string
-	IgnoreRootfs   bool
-	IgnoreStaticIP bool
+	All             bool
+	Keep            bool
+	Latest          bool
+	TcpEstablished  bool
+	Import          string
+	Name            string
+	IgnoreRootfs    bool
+	IgnoreStaticIP  bool
+	IgnoreStaticMAC bool
 }
 
 type RmValues struct {

cmd/podman/common.go

@@ -328,7 +328,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 	)
 	createFlags.String(
 		"mac-address", "",
-		"Container MAC address (e.g. 92:d0:c6:0a:29:33), not currently supported",
+		"Container MAC address (e.g. 92:d0:c6:0a:29:33)",
 	)
 	createFlags.StringP(
 		"memory", "m", "",

cmd/podman/restore.go

@@ -47,6 +47,7 @@ func init() {
 	flags.StringVarP(&restoreCommand.Name, "name", "n", "", "Specify new name for container restored from exported checkpoint (only works with --import)")
 	flags.BoolVar(&restoreCommand.IgnoreRootfs, "ignore-rootfs", false, "Do not apply root file-system changes when importing from exported checkpoint")
 	flags.BoolVar(&restoreCommand.IgnoreStaticIP, "ignore-static-ip", false, "Ignore IP address set via --static-ip")
+	flags.BoolVar(&restoreCommand.IgnoreStaticMAC, "ignore-static-mac", false, "Ignore MAC address set via --mac-address")
 
 	markFlagHiddenForRemoteClient("latest", flags)
 }

cmd/podman/shared/create.go

@@ -336,10 +336,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		return nil, err
 	}
 
-	if c.String("mac-address") != "" {
-		return nil, errors.Errorf("--mac-address option not currently supported")
-	}
-
 	imageID := ""
 
 	inputCommand = c.InputArgs[1:]

cni/87-podman-bridge.conflist

@@ -33,6 +33,9 @@
 	{
             "type": "firewall",
 	    "backend": "iptables"
+	},
+	{
+            "type": "tuning"
 	}
     ]
 }

completions/bash/podman

@@ -877,6 +877,7 @@ _podman_container_restore() {
 	  --tcp-established
 	  --ignore-rootfs
 	  --ignore-static-ip
+	  --ignore-static-mac
      "
      case "$prev" in
         -i|--import)

docs/source/markdown/podman-container-restore.1.md

@@ -76,6 +76,15 @@ a container is restored multiple times from an exported checkpoint with **--name
 Using **--ignore-static-ip** tells Podman to ignore the IP address if it was configured
 with **--ip** during container creation.
 
+**--ignore-static-mac**
+
+If the container was started with **--mac-address** the restored container also
+tries to use that MAC address and restore fails if that MAC address is already
+in use. This can happen, if a container is restored multiple times from an
+exported checkpoint with **--name, -n**.
+
+Using **--ignore-static-mac** tells Podman to ignore the MAC address if it was
+configured with **--mac-address** during container creation.
 ## EXAMPLE
 
 podman container restore mywebserver

go.mod

@@ -9,15 +9,15 @@ require (
 	github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b
 	github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
 	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
-	github.com/containernetworking/cni v0.7.1
+	github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784
 	github.com/containernetworking/plugins v0.8.2
 	github.com/containers/buildah v1.11.5-0.20191031204705-20e92ffe0982
 	github.com/containers/image/v5 v5.0.0
 	github.com/containers/psgo v1.3.2
 	github.com/containers/storage v1.13.5
 	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f
 	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
-	github.com/cri-o/ocicni v0.1.1-0.20190702175919-7762645d18ca
+	github.com/cri-o/ocicni v0.1.1-0.20190920040751-deac903fd99b
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/davecgh/go-spew v1.1.1
 	github.com/docker/distribution v2.7.1+incompatible

go.sum

@@ -53,6 +53,8 @@ github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL
 github.com/containernetworking/cni v0.7.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containernetworking/cni v0.7.1 h1:fE3r16wpSEyaqY4Z4oFrLMmIGfBYIKpPrHK31EJ9FzE=
 github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784 h1:rqUVLD8I859xRgUx/WMC3v7QAFqbLKZbs+0kqYboRJc=
+github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containernetworking/plugins v0.8.2 h1:5lnwfsAYO+V7yXhysJKy3E1A2Gy9oVut031zfdOzI9w=
 github.com/containernetworking/plugins v0.8.2/go.mod h1:TxALKWZpWL79BC3GOYKJzzXr7U8R23PdhwaLp6F3adc=
 github.com/containers/buildah v1.11.4-0.20191028173731-21b4778b359e h1:iDavHEx5Yr7o+0l6495Ya6N0YEPplIUZuWC2e14baDM=
@@ -83,6 +85,8 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cri-o/ocicni v0.1.1-0.20190702175919-7762645d18ca h1:CJstDqYy9ClWuPcDHMTCAiUS+ckekluYetGR2iYYWuo=
 github.com/cri-o/ocicni v0.1.1-0.20190702175919-7762645d18ca/go.mod h1:BO0al9TKber3XUTucLzKgoG5sq8qiOB41H7zSdfw6r8=
+github.com/cri-o/ocicni v0.1.1-0.20190920040751-deac903fd99b h1:SgS+WV10y2Bubuy2HquSBori6DXj9sqRN77Hgs5H7Qc=
+github.com/cri-o/ocicni v0.1.1-0.20190920040751-deac903fd99b/go.mod h1:ZOuIEOp/3MB1eCBWANnNxM3zUA3NWh76wSRCsnKAg2c=
 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=

libpod/container.go

@@ -138,6 +138,10 @@ type Container struct {
 	// being checkpointed. If requestedIP is set it will be used instead
 	// of config.StaticIP.
 	requestedIP net.IP
+	// A restored container should have the same MAC address as before
+	// being checkpointed. If requestedMAC is set it will be used instead
+	// of config.StaticMAC.
+	requestedMAC net.HardwareAddr
 
 	// This is true if a container is restored from a checkpoint.
 	restoreFromCheckpoint bool
@@ -296,6 +300,10 @@ type ContainerConfig struct {
 	// This cannot be set unless CreateNetNS is set.
 	// If not set, the container will be dynamically assigned an IP by CNI.
 	StaticIP net.IP `json:"staticIP"`
+	// StaticMAC is a static MAC to request for the container.
+	// This cannot be set unless CreateNetNS is set.
+	// If not set, the container will be dynamically assigned a MAC by CNI.
+	StaticMAC net.HardwareAddr `json:"staticMAC"`
 	// PortMappings are the ports forwarded to the container's network
 	// namespace
 	// These are not used unless CreateNetNS is true

libpod/container_api.go

@@ -794,6 +794,11 @@ type ContainerCheckpointOptions struct {
 	// important to be able to restore a container multiple
 	// times with '--import --name'.
 	IgnoreStaticIP bool
+	// IgnoreStaticMAC tells the API to ignore the MAC set
+	// during 'podman run' with '--mac-address'. This is especially
+	// important to be able to restore a container multiple
+	// times with '--import --name'.
+	IgnoreStaticMAC bool
 }
 
 // Checkpoint checkpoints a container

libpod/container_internal_linux.go

@@ -794,6 +794,15 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 		c.config.StaticIP = nil
 	}
 
+	// If a container is restored multiple times from an exported checkpoint with
+	// the help of '--import --name', the restore will fail if during 'podman run'
+	// a static container MAC address was set with '--mac-address'. The user
+	// can tell the restore process to ignore the static MAC with
+	// '--ignore-static-mac'
+	if options.IgnoreStaticMAC {
+		c.config.StaticMAC = nil
+	}
+
 	// Read network configuration from checkpoint
 	// Currently only one interface with one IP is supported.
 	networkStatusFile, err := os.Open(filepath.Join(c.bundlePath(), "network.status"))
@@ -803,9 +812,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 	// TODO: This implicit restoring with or without IP depending on an
 	//       unrelated restore parameter (--name) does not seem like the
 	//       best solution.
-	if err == nil && options.Name == "" && !options.IgnoreStaticIP {
+	if err == nil && options.Name == "" && (!options.IgnoreStaticIP || !options.IgnoreStaticMAC) {
 		// The file with the network.status does exist. Let's restore the
-		// container with the same IP address as during checkpointing.
+		// container with the same IP address / MAC address as during checkpointing.
 		defer networkStatusFile.Close()
 		var networkStatus []*cnitypes.Result
 		networkJSON, err := ioutil.ReadAll(networkStatusFile)
@@ -815,16 +824,35 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
 		if err := json.Unmarshal(networkJSON, &networkStatus); err != nil {
 			return err
 		}
-		// Take the first IP address
-		var IP net.IP
-		if len(networkStatus) > 0 {
-			if len(networkStatus[0].IPs) > 0 {
-				IP = networkStatus[0].IPs[0].Address.IP
+		if !options.IgnoreStaticIP {
+			// Take the first IP address
+			var IP net.IP
+			if len(networkStatus) > 0 {
+				if len(networkStatus[0].IPs) > 0 {
+					IP = networkStatus[0].IPs[0].Address.IP
+				}
+			}
+			if IP != nil {
+				// Tell CNI which IP address we want.
+				c.requestedIP = IP
 			}
 		}
-		if IP != nil {
-			// Tell CNI which IP address we want.
-			c.requestedIP = IP
+		if !options.IgnoreStaticMAC {
+			// Take the first device with a defined sandbox.
+			var MAC net.HardwareAddr
+			for _, n := range networkStatus[0].Interfaces {
+				if n.Sandbox != "" {
+					MAC, err = net.ParseMAC(n.Mac)
+					if err != nil {
+						return errors.Wrapf(err, "failed to parse MAC %v", n.Mac)
+					}
+					break
+				}
+			}
+			if MAC != nil {
+				// Tell CNI which MAC address we want.
+				c.requestedMAC = MAC
+			}
 		}
 	}
 
@@ -1314,7 +1342,7 @@ func (c *Container) copyOwnerAndPerms(source, dest string) error {
 // Teardown CNI config on refresh
 func (c *Container) refreshCNI() error {
 	// Let's try and delete any lingering network config...
-	podNetwork := c.runtime.getPodNetwork(c.ID(), c.config.Name, "", c.config.Networks, c.config.PortMappings, c.config.StaticIP)
+	podNetwork := c.runtime.getPodNetwork(c.ID(), c.config.Name, "", c.config.Networks, c.config.PortMappings, c.config.StaticIP, c.config.StaticMAC)
 	return c.runtime.netPlugin.TearDownPod(podNetwork)
 }
 

libpod/networking_linux.go

@@ -28,23 +28,34 @@ import (
 )
 
 // Get an OCICNI network config
-func (r *Runtime) getPodNetwork(id, name, nsPath string, networks []string, ports []ocicni.PortMapping, staticIP net.IP) ocicni.PodNetwork {
+func (r *Runtime) getPodNetwork(id, name, nsPath string, networks []string, ports []ocicni.PortMapping, staticIP net.IP, staticMAC net.HardwareAddr) ocicni.PodNetwork {
 	defaultNetwork := r.netPlugin.GetDefaultNetworkName()
 	network := ocicni.PodNetwork{
 		Name:      name,
 		Namespace: name, // TODO is there something else we should put here? We don't know about Kube namespaces
 		ID:        id,
 		NetNS:     nsPath,
-		Networks:  networks,
 		RuntimeConfig: map[string]ocicni.RuntimeConfig{
 			defaultNetwork: {PortMappings: ports},
 		},
 	}
 
-	if staticIP != nil {
-		network.Networks = []string{defaultNetwork}
+	if staticIP != nil || staticMAC != nil {
+		network.Networks = []ocicni.NetAttachment{{Name: defaultNetwork}}
+		var rt ocicni.RuntimeConfig = ocicni.RuntimeConfig{PortMappings: ports}
+		if staticIP != nil {
+			rt.IP = staticIP.String()
+		}
+		if staticMAC != nil {
+			rt.MAC = staticMAC.String()
+		}
 		network.RuntimeConfig = map[string]ocicni.RuntimeConfig{
-			defaultNetwork: {IP: staticIP.String(), PortMappings: ports},
+			defaultNetwork: rt,
+		}
+	} else {
+		network.Networks = make([]ocicni.NetAttachment, len(networks))
+		for i, netName := range networks {
+			network.Networks[i].Name = netName
 		}
 	}
 
@@ -62,7 +73,16 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) ([]*cnitypes.Re
 		requestedIP = ctr.config.StaticIP
 	}
 
-	podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctrNS.Path(), ctr.config.Networks, ctr.config.PortMappings, requestedIP)
+	var requestedMAC net.HardwareAddr
+	if ctr.requestedMAC != nil {
+		requestedMAC = ctr.requestedMAC
+		// cancel request for a specific MAC in case the container is reused later
+		ctr.requestedMAC = nil
+	} else {
+		requestedMAC = ctr.config.StaticMAC
+	}
+
+	podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctrNS.Path(), ctr.config.Networks, ctr.config.PortMappings, requestedIP, requestedMAC)
 
 	results, err := r.netPlugin.SetUpPod(podNetwork)
 	if err != nil {
@@ -78,10 +98,10 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) ([]*cnitypes.Re
 
 	networkStatus := make([]*cnitypes.Result, 0)
 	for idx, r := range results {
-		logrus.Debugf("[%d] CNI result: %v", idx, r.String())
-		resultCurrent, err := cnitypes.GetResult(r)
+		logrus.Debugf("[%d] CNI result: %v", idx, r.Result.String())
+		resultCurrent, err := cnitypes.GetResult(r.Result)
 		if err != nil {
-			return nil, errors.Wrapf(err, "error parsing CNI plugin result %q: %v", r.String(), err)
+			return nil, errors.Wrapf(err, "error parsing CNI plugin result %q: %v", r.Result.String(), err)
 		}
 		networkStatus = append(networkStatus, resultCurrent)
 	}
@@ -443,7 +463,16 @@ func (r *Runtime) teardownNetNS(ctr *Container) error {
 			requestedIP = ctr.config.StaticIP
 		}
 
-		podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.Networks, ctr.config.PortMappings, requestedIP)
+		var requestedMAC net.HardwareAddr
+		if ctr.requestedMAC != nil {
+			requestedMAC = ctr.requestedMAC
+			// cancel request for a specific MAC in case the container is reused later
+			ctr.requestedMAC = nil
+		} else {
+			requestedMAC = ctr.config.StaticMAC
+		}
+
+		podNetwork := r.getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.Networks, ctr.config.PortMappings, requestedIP, requestedMAC)
 
 		if err := r.netPlugin.TearDownPod(podNetwork); err != nil {
 			return errors.Wrapf(err, "error tearing down CNI namespace configuration for container %s", ctr.ID())

libpod/options.go

@@ -1052,6 +1052,31 @@ func WithStaticIP(ip net.IP) CtrCreateOption {
 	}
 }
 
+// WithStaticMAC indicates that the container should request a static MAC from
+// the CNI plugins.
+// It cannot be set unless WithNetNS has already been passed.
+// Further, it cannot be set if additional CNI networks to join have been
+// specified.
+func WithStaticMAC(mac net.HardwareAddr) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return define.ErrCtrFinalized
+		}
+
+		if !ctr.config.CreateNetNS {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot set a static MAC if the container is not creating a network namespace")
+		}
+
+		if len(ctr.config.Networks) != 0 {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot set a static MAC if joining additional CNI networks")
+		}
+
+		ctr.config.StaticMAC = mac
+
+		return nil
+	}
+}
+
 // WithLogDriver sets the log driver for the container
 func WithLogDriver(driver string) CtrCreateOption {
 	return func(ctr *Container) error {

pkg/adapter/containers.go

@@ -547,12 +547,13 @@ func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues)
 	)
 
 	options := libpod.ContainerCheckpointOptions{
-		Keep:           c.Keep,
-		TCPEstablished: c.TcpEstablished,
-		TargetFile:     c.Import,
-		Name:           c.Name,
-		IgnoreRootfs:   c.IgnoreRootfs,
-		IgnoreStaticIP: c.IgnoreStaticIP,
+		Keep:            c.Keep,
+		TCPEstablished:  c.TcpEstablished,
+		TargetFile:      c.Import,
+		Name:            c.Name,
+		IgnoreRootfs:    c.IgnoreRootfs,
+		IgnoreStaticIP:  c.IgnoreStaticIP,
+		IgnoreStaticMAC: c.IgnoreStaticMAC,
 	}
 
 	filterFuncs = append(filterFuncs, func(c *libpod.Container) bool {