Support --subnet in network create by siikamiika · Pull Request #737

Support --subnet in network create by siikamiika · Pull Request #737 · apple/container

Explaining the process to myself to make sure I understand it:

user runs container network create ...
ClientNetwork.create is called with a NetworkConfiguration struct
XPC message with JSON serialized NetworkConfiguration is sent to com.apple.container.apiserver
NetworksService.create receives the NetworkConfiguration after it's parsed
- registerService registers the configuration with launchd and also checks if there are overlapping networks in other configurations
- NetworkClient checks if the network was created
- if successful, configuration is persisted in filesystem

I don't think it's checking if any existing networks for interfaces like LAN or VPN overlap the created network. ~~Actually I don't even know if the default mode where a new /24 network is picked next to the previous (starting from the default 192.168.64.0/24 and going through 65, 66, ...) handles this~~, but it's not relevant for these changes.

Who's responsible for making sure container networks don't overlap with other networks?

user
container
- which component?
vmnet_network_create
kernel
something else?

If it's the user, then this change should be ok in my opinion, but there could be a bug in the default mode where the network address is chosen automatically ~~(sorry didn't have time to verify this)~~.

If it's container, getifaddrs could maybe be used to query active networks and compared to the new configuration. But how early should it be caught? Client or server?

The rest are out of my reach.

edit: verified automatically addressed container networks can also overlap existing ones not created by it:

> container network create auto1
auto1
> container network create auto2
auto2
> container run --rm -it --network auto2 debian

> container network ls
NETWORK  STATE    SUBNET
auto2    running  192.168.66.0/24
default  running  192.168.64.0/24
auto1    running  192.168.65.0/24

(en12 is a usb ethernet adapter connected to a router and bridge100 is the vmnet bridge)

en12: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=404<VLAN_MTU,CHANNEL_IO>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.66.238 netmask 0xffffff00 broadcast 192.168.66.255
        media: autoselect (1000baseT <full-duplex>)
        status: active
bridge100: flags=8a63<UP,BROADCAST,SMART,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        options=63<RXCSUM,TXCSUM,TSO4,TSO6>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.66.1 netmask 0xffffff00 broadcast 192.168.66.255
        media: autoselect
        status: active

en12 network was unavailable while bridge100 was active but came back when I stopped the container and bridge100 disappeared.