specs-go,cdi: implement NetDevice injection.

klihub · klihub · commit c5a3a6225060 · 2025-11-26T16:39:51.000+02:00
Implement OCI Spec (Linux) NetDevice injection.

Signed-off-by: Krisztian Litkey &lt;krisztian.litkey@intel.com&gt;
diff --git a/pkg/cdi/container-edits.go b/pkg/cdi/container-edits.go
@@ -113,6 +113,14 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
 		}
 	}
 
+	if len(e.NetDevices) > 0 {
+		// specgen is currently missing functionality to set Linux NetDevices,
+		// so we use a locally rolled function for now.
+		for _, dev := range e.NetDevices {
+			specgenAddLinuxNetDevice(&specgen, dev.HostInterfaceName, (&LinuxNetDevice{dev}).toOCI())
+		}
+	}
+
 	if len(e.Mounts) > 0 {
 		for _, m := range e.Mounts {
 			specgen.RemoveMount(m.ContainerPath)
@@ -162,6 +170,24 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
 	return nil
 }
 
+func specgenAddLinuxNetDevice(specgen *ocigen.Generator, hostIf string, netDev *oci.LinuxNetDevice) {
+	if specgen == nil || netDev == nil {
+		return
+	}
+	ensureLinuxNetDevices(specgen.Config)
+	specgen.Config.Linux.NetDevices[hostIf] = *netDev
+}
+
+// Ensure OCI Spec Linux NetDevices map is not nil.
+func ensureLinuxNetDevices(spec *oci.Spec) {
+	if spec.Linux == nil {
+		spec.Linux = &oci.Linux{}
+	}
+	if spec.Linux.NetDevices == nil {
+		spec.Linux.NetDevices = map[string]oci.LinuxNetDevice{}
+	}
+}
+
 // Validate container edits.
 func (e *ContainerEdits) Validate() error {
 	if e == nil || e.ContainerEdits == nil {
@@ -191,6 +217,9 @@ func (e *ContainerEdits) Validate() error {
 			return err
 		}
 	}
+	if err := ValidateNetDevices(e.NetDevices); err != nil {
+		return err
+	}
 
 	return nil
 }
@@ -210,6 +239,7 @@ func (e *ContainerEdits) Append(o *ContainerEdits) *ContainerEdits {
 
 	e.Env = append(e.Env, o.Env...)
 	e.DeviceNodes = append(e.DeviceNodes, o.DeviceNodes...)
+	e.NetDevices = append(e.NetDevices, o.NetDevices...)
 	e.Hooks = append(e.Hooks, o.Hooks...)
 	e.Mounts = append(e.Mounts, o.Mounts...)
 	if o.IntelRdt != nil {
@@ -244,6 +274,9 @@ func (e *ContainerEdits) isEmpty() bool {
 	if e.IntelRdt != nil {
 		return false
 	}
+	if len(e.NetDevices) > 0 {
+		return false
+	}
 	return true
 }
 
@@ -257,6 +290,49 @@ func ValidateEnv(env []string) error {
 	return nil
 }
 
+// ValidateNetDevices validates the given net devices.
+func ValidateNetDevices(devices []*cdi.LinuxNetDevice) error {
+	var (
+		hostSeen = map[string]string{}
+		nameSeen = map[string]string{}
+	)
+
+	for _, dev := range devices {
+		if err := (&LinuxNetDevice{dev}).Validate(); err != nil {
+			return err
+		}
+		if other, ok := hostSeen[dev.HostInterfaceName]; ok {
+			return fmt.Errorf("invalid linux net device, duplicate HostInterfaceName %q with names %q and %q",
+				dev.HostInterfaceName, dev.Name, other)
+		}
+		hostSeen[dev.HostInterfaceName] = dev.Name
+
+		if other, ok := nameSeen[dev.Name]; ok {
+			return fmt.Errorf("invalid linux net device, duplicate Name %q with HostInterfaceName %q and %q",
+				dev.Name, dev.HostInterfaceName, other)
+		}
+		nameSeen[dev.Name] = dev.HostInterfaceName
+	}
+
+	return nil
+}
+
+// LinuxNetDevice is a CDI Spec LinuxNetDevice wrapper, used for OCI conversion and validating.
+type LinuxNetDevice struct {
+	*cdi.LinuxNetDevice
+}
+
+// Validate LinuxNetDevice.
+func (d *LinuxNetDevice) Validate() error {
+	if d.HostInterfaceName == "" {
+		return errors.New("invalid linux net device, empty HostInterfaceName")
+	}
+	if d.Name == "" {
+		return errors.New("invalid linux net device, empty Name")
+	}
+	return nil
+}
+
 // DeviceNode is a CDI Spec DeviceNode wrapper, used for validating DeviceNodes.
 type DeviceNode struct {
 	*cdi.DeviceNode
diff --git a/pkg/cdi/container-edits_test.go b/pkg/cdi/container-edits_test.go
@@ -299,6 +299,41 @@ func TestValidateContainerEdits(t *testing.T) {
 			},
 			invalid: true,
 		},
+		{
+			name: "valid Linux net device",
+			edits: &cdi.ContainerEdits{
+				NetDevices: []*cdi.LinuxNetDevice{
+					{
+						HostInterfaceName: "eno1",
+						Name:              "netdev0",
+					},
+				},
+			},
+		},
+		{
+			name: "invalid Linux net device, empty host interface name",
+			edits: &cdi.ContainerEdits{
+				NetDevices: []*cdi.LinuxNetDevice{
+					{
+						HostInterfaceName: "",
+						Name:              "netdev0",
+					},
+				},
+			},
+			invalid: true,
+		},
+		{
+			name: "invalid Linux net device, empty container interface name",
+			edits: &cdi.ContainerEdits{
+				NetDevices: []*cdi.LinuxNetDevice{
+					{
+						HostInterfaceName: "eno1",
+						Name:              "",
+					},
+				},
+			},
+			invalid: true,
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			edits := ContainerEdits{tc.edits}
@@ -587,6 +622,70 @@ func TestApplyContainerEdits(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "empty spec, Linux net devices",
+			spec: &oci.Spec{},
+			edits: &cdi.ContainerEdits{
+				NetDevices: []*cdi.LinuxNetDevice{
+					{
+						HostInterfaceName: "eno1",
+						Name:              "netdev0",
+					},
+					{
+						HostInterfaceName: "eno2",
+						Name:              "netdev1",
+					},
+				},
+			},
+			result: &oci.Spec{
+				Linux: &oci.Linux{
+					NetDevices: map[string]oci.LinuxNetDevice{
+						"eno1": {
+							Name: "netdev0",
+						},
+						"eno2": {
+							Name: "netdev1",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "non-empty spec, overriding Linux net devices",
+			spec: &oci.Spec{
+				Linux: &oci.Linux{
+					NetDevices: map[string]oci.LinuxNetDevice{
+						"eno1": {
+							Name: "netdev1",
+						},
+					},
+				},
+			},
+			edits: &cdi.ContainerEdits{
+				NetDevices: []*cdi.LinuxNetDevice{
+					{
+						HostInterfaceName: "eno1",
+						Name:              "netdev2",
+					},
+					{
+						HostInterfaceName: "eno2",
+						Name:              "netdev1",
+					},
+				},
+			},
+			result: &oci.Spec{
+				Linux: &oci.Linux{
+					NetDevices: map[string]oci.LinuxNetDevice{
+						"eno1": {
+							Name: "netdev2",
+						},
+						"eno2": {
+							Name: "netdev1",
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "additional GIDs are applied",
 			spec: &oci.Spec{},
diff --git a/pkg/cdi/oci.go b/pkg/cdi/oci.go
@@ -63,3 +63,10 @@ func (i *IntelRdt) toOCI() *spec.LinuxIntelRdt {
 		EnableMonitoring: i.EnableMonitoring,
 	}
 }
+
+// toOCI returns the opencontainers runtime Spec LinuxNetDevice for this LinuxNetDevice.
+func (d *LinuxNetDevice) toOCI() *spec.LinuxNetDevice {
+	return &spec.LinuxNetDevice{
+		Name: d.Name,
+	}
+}
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -24,12 +24,13 @@ type Device struct {
 
 // ContainerEdits are edits a container runtime must make to the OCI spec to expose the device.
 type ContainerEdits struct {
-	Env            []string      `json:"env,omitempty"            yaml:"env,omitempty"`
-	DeviceNodes    []*DeviceNode `json:"deviceNodes,omitempty"    yaml:"deviceNodes,omitempty"`
-	Hooks          []*Hook       `json:"hooks,omitempty"          yaml:"hooks,omitempty"`
-	Mounts         []*Mount      `json:"mounts,omitempty"         yaml:"mounts,omitempty"`
-	IntelRdt       *IntelRdt     `json:"intelRdt,omitempty"       yaml:"intelRdt,omitempty"`       // Added in v0.7.0
-	AdditionalGIDs []uint32      `json:"additionalGids,omitempty" yaml:"additionalGids,omitempty"` // Added in v0.7.0
+	Env            []string          `json:"env,omitempty"            yaml:"env,omitempty"`
+	DeviceNodes    []*DeviceNode     `json:"deviceNodes,omitempty"    yaml:"deviceNodes,omitempty"`
+	NetDevices     []*LinuxNetDevice `json:"netDevices,omitempty"     yaml:"netDevices,omitempty"` // Added in v1.1.0
+	Hooks          []*Hook           `json:"hooks,omitempty"          yaml:"hooks,omitempty"`
+	Mounts         []*Mount          `json:"mounts,omitempty"         yaml:"mounts,omitempty"`
+	IntelRdt       *IntelRdt         `json:"intelRdt,omitempty"       yaml:"intelRdt,omitempty"`       // Added in v0.7.0
+	AdditionalGIDs []uint32          `json:"additionalGids,omitempty" yaml:"additionalGids,omitempty"` // Added in v0.7.0
 }
 
 // DeviceNode represents a device node that needs to be added to the OCI spec.
@@ -70,3 +71,9 @@ type IntelRdt struct {
 	Schemata         []string `json:"schemata,omitempty"         yaml:"schemata,omitempty"`
 	EnableMonitoring bool     `json:"enableMonitoring,omitempty" yaml:"enableMonitoring,omitempty"`
 }
+
+// LinuxNetDevice represents an OCI LinuxNetDevice to be added to the OCI Spec.
+type LinuxNetDevice struct {
+	HostInterfaceName string `json:"hostInterfaceName" yaml:"hostInterfaceName"`
+	Name              string `json:"name"   yaml:"name"`
+}

Original file line number	Diff line number	Diff line change
`@@ -63,3 +63,10 @@ func (i IntelRdt) toOCI() spec.LinuxIntelRdt {`
`63`	`63`	`EnableMonitoring: i.EnableMonitoring,`
`64`	`64`	`}`
`65`	`65`	`}`
	`66`	`+`
	`67`	`+// toOCI returns the opencontainers runtime Spec LinuxNetDevice for this LinuxNetDevice.`
	`68`	`+func (d LinuxNetDevice) toOCI() spec.LinuxNetDevice {`
	`69`	`+ return &spec.LinuxNetDevice{`
	`70`	`+ Name: d.Name,`
	`71`	`+ }`
	`72`	`+}`