network/port driver build tags support

fahedouch · fahedouch · commit b123542516cc · 2025-10-08T16:18:57.000+02:00
Signed-off-by: fahed dorgaa &lt;fahed.dorgaa@gmail.com&gt;
diff --git a/docs/network.md b/docs/network.md
@@ -267,3 +267,29 @@ The `--detach-netns` flag (since v2.0.0) detaches network namespaces into `$ROOT
 and executes the child command in the host's network namespace.
 
 The child command can enter `$ROOTLESSKIT_STATE_DIR/netns` by itself to create nested network namespaces.
+
+
+## Build tags to omit drivers
+
+To exclude specific drivers at compilation time, use Go build tags:
+
+- Tag no_vpnkit: omits the VPNKit network driver implementation.
+- Tag no_gvisortapvsock: omits the gvisor-tap-vsock network driver implementation and its port driver.
+- Tag no_slirp4netns: omits the slirp4netns network driver implementation and its port driver.
+- Tag no_lxcusernic: omits the lxc-user-nic network driver implementation.
+
+Examples:
+
+- Build without VPNKit support:
+  go build -tags no_vpnkit ./cmd/rootlesskit
+
+- Build without gvisor-tap-vsock support (also disables the gvisor-tap-vsock port driver):
+  go build -tags no_gvisortapvsock ./cmd/rootlesskit
+
+- Build without slirp4netns support (also disables the slirp4netns port driver):
+  go build -tags no_slirp4netns ./cmd/rootlesskit
+
+- Build without lxc-user-nic support:
+  go build -tags no_lxcusernic ./cmd/rootlesskit
+
+If a disabled driver is selected at runtime (e.g., --net=vpnkit when built with -tags no_vpnkit), RootlessKit returns an error indicating that the driver was disabled at build time.
diff --git a/pkg/network/gvisortapvsock/gvisortapvsock.go b/pkg/network/gvisortapvsock/gvisortapvsock.go
@@ -1,3 +1,6 @@
+//go:build !no_gvisortapvsock
+// +build !no_gvisortapvsock
+
 package gvisortapvsock
 
 import (
@@ -96,6 +99,13 @@ func (d *parentDriver) MTU() int {
 	return d.mtu
 }
 
+// GetVirtualNetwork returns the virtual network used by this driver
+func (d *parentDriver) GetVirtualNetwork() *virtualnetwork.VirtualNetwork {
+	d.vnMu.RLock()
+	defer d.vnMu.RUnlock()
+	return d.vn
+}
+
 // setupNetworkConfig sets up the basic network configuration
 func (d *parentDriver) setupNetworkConfig() (ip string, gateway string, netmask int, err error) {
 
diff --git a/pkg/network/gvisortapvsock/gvisortapvsock_disabled.go b/pkg/network/gvisortapvsock/gvisortapvsock_disabled.go
@@ -0,0 +1,45 @@
+//go:build no_gvisortapvsock
+// +build no_gvisortapvsock
+
+package gvisortapvsock
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/messages"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/network"
+)
+
+// NewParentDriver returns a stub when built with the no_gvisortapvsock tag.
+func NewParentDriver(logWriter io.Writer, mtu int, ipnet *net.IPNet, ifname string, disableHostLoopback bool, enableIPv6 bool) (network.ParentDriver, error) {
+	return &disabledParent{}, errors.New("gvisor-tap-vsock network driver disabled by build tag no_gvisortapvsock")
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.NetworkDriverInfo, error) {
+	return nil, errors.New("gvisor-tap-vsock network driver disabled by build tag no_gvisortapvsock")
+}
+
+func (d *disabledParent) MTU() int { return 0 }
+
+func (d *disabledParent) ConfigureNetwork(childPID int, stateDir string, detachedNetNSPath string) (*messages.ParentInitNetworkDriverCompleted, func() error, error) {
+	return nil, func() error { return nil }, errors.New("gvisor-tap-vsock network driver disabled by build tag no_gvisortapvsock")
+}
+
+// NewChildDriver returns a stub when built with the no_gvisortapvsock tag.
+func NewChildDriver() network.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) ChildDriverInfo() (*network.ChildDriverInfo, error) {
+	return &network.ChildDriverInfo{ConfiguresInterface: false}, nil
+}
+
+func (d *disabledChild) ConfigureNetworkChild(netmsg *messages.ParentInitNetworkDriverCompleted, detachedNetNSPath string) (string, error) {
+	return "", errors.New("gvisor-tap-vsock network driver disabled by build tag no_gvisortapvsock")
+}
diff --git a/pkg/network/lxcusernic/lxcusernic.go b/pkg/network/lxcusernic/lxcusernic.go
@@ -1,3 +1,6 @@
+//go:build !no_lxcusernic
+// +build !no_lxcusernic
+
 package lxcusernic
 
 import (
diff --git a/pkg/network/lxcusernic/lxcusernic_disabled.go b/pkg/network/lxcusernic/lxcusernic_disabled.go
@@ -0,0 +1,43 @@
+//go:build no_lxcusernic
+// +build no_lxcusernic
+
+package lxcusernic
+
+import (
+	"context"
+	"errors"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/messages"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/network"
+)
+
+// NewParentDriver returns a stub when built with the no_lxcusernic tag.
+func NewParentDriver(binary string, mtu int, bridge string, ifname string) (network.ParentDriver, error) {
+	return &disabledParent{}, errors.New("lxc-user-nic network driver disabled by build tag no_lxcusernic")
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.NetworkDriverInfo, error) {
+	return nil, errors.New("lxc-user-nic network driver disabled by build tag no_lxcusernic")
+}
+
+func (d *disabledParent) MTU() int { return 0 }
+
+func (d *disabledParent) ConfigureNetwork(childPID int, stateDir string, detachedNetNSPath string) (*messages.ParentInitNetworkDriverCompleted, func() error, error) {
+	return nil, func() error { return nil }, errors.New("lxc-user-nic network driver disabled by build tag no_lxcusernic")
+}
+
+// NewChildDriver returns a stub when built with the no_lxcusernic tag.
+func NewChildDriver() network.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) ChildDriverInfo() (*network.ChildDriverInfo, error) {
+	return &network.ChildDriverInfo{ConfiguresInterface: false}, nil
+}
+
+func (d *disabledChild) ConfigureNetworkChild(netmsg *messages.ParentInitNetworkDriverCompleted, detachedNetNSPath string) (string, error) {
+	return "", errors.New("lxc-user-nic network driver disabled by build tag no_lxcusernic")
+}
diff --git a/pkg/network/slirp4netns/slirp4netns.go b/pkg/network/slirp4netns/slirp4netns.go
@@ -1,3 +1,6 @@
+//go:build !no_slirp4netns
+// +build !no_slirp4netns
+
 package slirp4netns
 
 import (
diff --git a/pkg/network/slirp4netns/slirp4netns_disabled.go b/pkg/network/slirp4netns/slirp4netns_disabled.go
@@ -0,0 +1,45 @@
+//go:build no_slirp4netns
+// +build no_slirp4netns
+
+package slirp4netns
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/messages"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/network"
+)
+
+// NewParentDriver returns a stub when built with the no_slirp4netns tag.
+func NewParentDriver(logWriter io.Writer, binary string, mtu int, ipnet *net.IPNet, ifname string, disableHostLoopback bool, apiSocketPath string, enableSandbox bool, enableSeccomp bool, enableIPv6 bool) (network.ParentDriver, error) {
+	return &disabledParent{}, errors.New("slirp4netns network driver disabled by build tag no_slirp4netns")
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.NetworkDriverInfo, error) {
+	return nil, errors.New("slirp4netns network driver disabled by build tag no_slirp4netns")
+}
+
+func (d *disabledParent) MTU() int { return 0 }
+
+func (d *disabledParent) ConfigureNetwork(childPID int, stateDir string, detachedNetNSPath string) (*messages.ParentInitNetworkDriverCompleted, func() error, error) {
+	return nil, func() error { return nil }, errors.New("slirp4netns network driver disabled by build tag no_slirp4netns")
+}
+
+// NewChildDriver returns a stub when built with the no_slirp4netns tag.
+func NewChildDriver() network.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) ChildDriverInfo() (*network.ChildDriverInfo, error) {
+	return &network.ChildDriverInfo{ConfiguresInterface: false}, nil
+}
+
+func (d *disabledChild) ConfigureNetworkChild(netmsg *messages.ParentInitNetworkDriverCompleted, detachedNetNSPath string) (string, error) {
+	return "", errors.New("slirp4netns network driver disabled by build tag no_slirp4netns")
+}
diff --git a/pkg/network/vpnkit/vpnkit.go b/pkg/network/vpnkit/vpnkit.go
@@ -1,3 +1,6 @@
+//go:build !no_vpnkit
+// +build !no_vpnkit
+
 package vpnkit
 
 import (
diff --git a/pkg/network/vpnkit/vpnkit_disabled.go b/pkg/network/vpnkit/vpnkit_disabled.go
@@ -0,0 +1,43 @@
+//go:build no_vpnkit
+// +build no_vpnkit
+
+package vpnkit
+
+import (
+	"context"
+	"errors"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/messages"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/network"
+)
+
+// NewParentDriver returns a stub when built with the no_vpnkit tag.
+func NewParentDriver(binary string, mtu int, ifname string, disableHostLoopback bool) network.ParentDriver {
+	return &disabledParent{}
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.NetworkDriverInfo, error) {
+	return nil, errors.New("vpnkit network driver disabled by build tag no_vpnkit")
+}
+
+func (d *disabledParent) MTU() int { return 0 }
+
+func (d *disabledParent) ConfigureNetwork(childPID int, stateDir, detachedNetNSPath string) (*messages.ParentInitNetworkDriverCompleted, func() error, error) {
+	return nil, func() error { return nil }, errors.New("vpnkit network driver disabled by build tag no_vpnkit")
+}
+
+// NewChildDriver returns a stub when built with the no_vpnkit tag.
+func NewChildDriver() network.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) ChildDriverInfo() (*network.ChildDriverInfo, error) {
+	return &network.ChildDriverInfo{ConfiguresInterface: false}, nil
+}
+
+func (d *disabledChild) ConfigureNetworkChild(netmsg *messages.ParentInitNetworkDriverCompleted, detachedNetNSPath string) (string, error) {
+	return "", errors.New("vpnkit network driver disabled by build tag no_vpnkit")
+}
diff --git a/pkg/port/gvisortapvsock/gvisortapvsock.go b/pkg/port/gvisortapvsock/gvisortapvsock.go
@@ -1,3 +1,6 @@
+//go:build !no_gvisortapvsock
+// +build !no_gvisortapvsock
+
 package gvisortapvsock
 
 import (
diff --git a/pkg/port/gvisortapvsock/gvisortapvsock_disabled.go b/pkg/port/gvisortapvsock/gvisortapvsock_disabled.go
@@ -0,0 +1,51 @@
+//go:build no_gvisortapvsock
+// +build no_gvisortapvsock
+
+package gvisortapvsock
+
+import (
+	"context"
+	"errors"
+	"io"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/port"
+)
+
+// NewParentDriver returns a stub when built with the no_gvisortapvsock tag.
+func NewParentDriver(logWriter io.Writer, stateDir string) (port.ParentDriver, error) {
+	return &disabledParent{}, errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.PortDriverInfo, error) {
+	return nil, errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+func (d *disabledParent) OpaqueForChild() map[string]string { return map[string]string{} }
+
+func (d *disabledParent) RunParentDriver(initComplete chan struct{}, quit <-chan struct{}, cctx *port.ChildContext) error {
+	return errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+func (d *disabledParent) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) {
+	return nil, errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+func (d *disabledParent) ListPorts(ctx context.Context) ([]port.Status, error) {
+	return nil, errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+func (d *disabledParent) RemovePort(ctx context.Context, id int) error {
+	return errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
+
+// NewChildDriver returns a stub when built with the no_gvisortapvsock tag.
+func NewChildDriver() port.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) RunChildDriver(opaque map[string]string, quit <-chan struct{}, detachedNetNSPath string) error {
+	return errors.New("gvisor-tap-vsock port driver disabled by build tag no_gvisortapvsock")
+}
diff --git a/pkg/port/slirp4netns/slirp4netns.go b/pkg/port/slirp4netns/slirp4netns.go
@@ -1,3 +1,6 @@
+//go:build !no_slirp4netns
+// +build !no_slirp4netns
+
 package slirp4netns
 
 import (
diff --git a/pkg/port/slirp4netns/slirp4netns_disabled.go b/pkg/port/slirp4netns/slirp4netns_disabled.go
@@ -0,0 +1,51 @@
+//go:build no_slirp4netns
+// +build no_slirp4netns
+
+package slirp4netns
+
+import (
+	"context"
+	"errors"
+	"io"
+
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/port"
+)
+
+// NewParentDriver returns a stub when built with the no_slirp4netns tag.
+func NewParentDriver(logWriter io.Writer, apiSocketPath string) (port.ParentDriver, error) {
+	return &disabledParent{}, errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+type disabledParent struct{}
+
+func (d *disabledParent) Info(ctx context.Context) (*api.PortDriverInfo, error) {
+	return nil, errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+func (d *disabledParent) OpaqueForChild() map[string]string { return map[string]string{} }
+
+func (d *disabledParent) RunParentDriver(initComplete chan struct{}, quit <-chan struct{}, cctx *port.ChildContext) error {
+	return errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+func (d *disabledParent) AddPort(ctx context.Context, spec port.Spec) (*port.Status, error) {
+	return nil, errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+func (d *disabledParent) ListPorts(ctx context.Context) ([]port.Status, error) {
+	return nil, errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+func (d *disabledParent) RemovePort(ctx context.Context, id int) error {
+	return errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
+
+// NewChildDriver returns a stub when built with the no_slirp4netns tag.
+func NewChildDriver() port.ChildDriver { return &disabledChild{} }
+
+type disabledChild struct{}
+
+func (d *disabledChild) RunChildDriver(opaque map[string]string, quit <-chan struct{}, detachedNetNSPath string) error {
+	return errors.New("slirp4netns port driver disabled by build tag no_slirp4netns")
+}
