WL#12720 Add support for network namespaces on setting up listening sockets

The following changes were done within this worklog:
  * Extended format of a value for the bind-addressi, mysqlx-bind-address and
    admin-address options to allow specifying a network namespace that be used
    for listening incoming connections for corresponding interface addresses.
  * Added handling of network namespace on socket creation and IP address
    to host name resolving.
  * Extended a grammar of the statement CHANGE MASTER TO in order to support
    the clause NETWORK_NAMESPACE=string_value. This clause is used for
    specifying of a network namespace that a replication master uses for
    listening connection requests from a replication slave.
  * Provided storing of a network namespace in the table slave_master_info.
  * The error code ER_WILDCARD_NOT_ALLOWED_FOR_MULTIADDRESS_BIND was added
    to be output in case wildcard value specified for multi address
    --bind-address option value. It was done to be uniform with
    ER_NETWORK_NAMESPACE_NOT_ALLOWED_FOR_WILDCARD_ADDRESS that used for
    similar use case for network namespaces.
  * The error code ER_NETWORK_NAMESPACES_NOT_SUPPORTED was added to report
    error condition when a network namespace is specified on a platform
    that doesn't support network namespace feature.
  * The error code ER_UNKNOWN_NETWORK_NAMESPACE was added to report error
    condition when a specified network namespace is not configured
    on a host
  * The error code ER_SETNS_FAILED was added to report error condition
    that attempt to switch on a some network namespace failed.

Reviewed-by: Thayumanavar Sachithanantham <[email protected]>

Author: Dmitry Shulga

client/CMakeLists.txt

@@ -29,7 +29,7 @@ ADD_SUBDIRECTORY(base)
 ## Subdirectory for mysqlpump code.
 ADD_SUBDIRECTORY(dump)
 
-MYSQL_ADD_EXECUTABLE(mysql completion_hash.cc mysql.cc readline.cc ../sql-common/sql_string.cc pattern_matcher.cc)
+MYSQL_ADD_EXECUTABLE(mysql completion_hash.cc mysql.cc readline.cc ../sql-common/sql_string.cc pattern_matcher.cc ${CMAKE_SOURCE_DIR}/sql/net_ns.cc)
 TARGET_LINK_LIBRARIES(mysql mysqlclient)
 IF(UNIX)
   TARGET_LINK_LIBRARIES(mysql ${EDITLINE_LIBRARY})

client/mysql.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -89,6 +89,8 @@
 
 #include "sql_common.h"
 
+#include "sql/net_ns.h"
+
 using std::max;
 using std::min;
 
@@ -187,6 +189,9 @@ static STATUS status;
 static ulong select_limit, max_join_size, opt_connect_timeout = 0;
 static char mysql_charsets_dir[FN_REFLEN + 1];
 static char *opt_plugin_dir = 0, *opt_default_auth = 0;
+#ifdef HAVE_SETNS
+static char *opt_network_namespace = 0;
+#endif
 static const char *xmlmeta[] = {
     "&", "&amp;", "<", "&lt;", ">", "&gt;", "\"", "&quot;",
     /* Turn \0 into a space. Why not &#0;? That's not valid XML or HTML. */
@@ -1528,15 +1533,28 @@ static void kill_query(const char *reason) {
   kill_mysql = mysql_init(kill_mysql);
   init_connection_options(kill_mysql);
 
+#ifdef HAVE_SETNS
+  if (opt_network_namespace && set_network_namespace(opt_network_namespace)) {
+    goto err;
+  }
+#endif
+
   if (!mysql_real_connect(kill_mysql, current_host, current_user, opt_password,
                           "", opt_mysql_port, opt_mysql_unix_port, 0)) {
+#ifdef HAVE_SETNS
+    if (opt_network_namespace) (void)restore_original_network_namespace();
+#endif
     tee_fprintf(stdout,
                 "%s -- Sorry, cannot connect to the server to kill "
                 "query, giving up ...\n",
                 reason);
     goto err;
   }
 
+#ifdef HAVE_SETNS
+  if (opt_network_namespace && restore_original_network_namespace()) goto err;
+#endif
+
   interrupted_query = true;
 
   /* mysqld < 5 does not understand KILL QUERY, skip to KILL CONNECTION */
@@ -1552,7 +1570,11 @@ static void kill_query(const char *reason) {
   tee_fprintf(stdout, "%s -- query aborted\n", reason);
 
 err:
+#ifdef HAVE_SETNS
+  if (opt_network_namespace) (void)release_network_namespace_resources();
+#endif
   mysql_close(kill_mysql);
+
   return;
 }
 
@@ -1821,6 +1843,12 @@ static struct my_option my_long_options[] = {
      "test purpose, so it is just built when DEBUG is on.",
      &opt_build_completion_hash, &opt_build_completion_hash, 0, GET_BOOL,
      NO_ARG, 0, 0, 0, 0, 0, 0},
+#endif
+#ifdef HAVE_SETNS
+    {"network-namespace", 0,
+     "Network namespace to use for connection via tcp with a server.",
+     &opt_network_namespace, &opt_network_namespace, 0, GET_STR, REQUIRED_ARG,
+     0, 0, 0, 0, 0, 0},
 #endif
     {0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}};
 
@@ -4364,6 +4392,9 @@ static int sql_real_connect(char *host, char *database, char *user,
                             char *password, uint silent) {
   if (connected) {
     connected = 0;
+#ifdef HAVE_SETNS
+    if (opt_network_namespace) (void)release_network_namespace_resources();
+#endif
     mysql_close(&mysql);
   }
 
@@ -4392,9 +4423,25 @@ static int sql_real_connect(char *host, char *database, char *user,
   }
 #endif
 
+#ifdef HAVE_SETNS
+  if (opt_network_namespace && set_network_namespace(opt_network_namespace)) {
+    if (!silent) {
+      char msgbuf[PATH_MAX];
+      snprintf(msgbuf, sizeof(msgbuf), "Network namespace error: %s",
+               strerror(errno));
+      put_info(msgbuf, INFO_ERROR);
+    }
+
+    return ignore_errors ? -1 : 1;  // Abort
+  }
+#endif
+
   if (!mysql_real_connect(&mysql, host, user, password, database,
                           opt_mysql_port, opt_mysql_unix_port,
                           connect_flag | CLIENT_MULTI_STATEMENTS)) {
+#ifdef HAVE_SETNS
+    if (opt_network_namespace) (void)restore_original_network_namespace();
+#endif
     if (mysql_errno(&mysql) == ER_MUST_CHANGE_PASSWORD_LOGIN) {
       tee_fprintf(stdout,
                   "Please use --connect-expired-password option or "
@@ -4410,6 +4457,19 @@ static int sql_real_connect(char *host, char *database, char *user,
     return -1;  // Retryable
   }
 
+#ifdef HAVE_SETNS
+  if (opt_network_namespace && restore_original_network_namespace()) {
+    if (!silent) {
+      char msgbuf[PATH_MAX];
+      snprintf(msgbuf, sizeof(msgbuf), "Network namespace error: %s",
+               strerror(errno));
+      put_info(msgbuf, INFO_ERROR);
+    }
+
+    return ignore_errors ? -1 : 1;  // Abort
+  }
+#endif
+
 #ifdef _WIN32
   /* Convert --execute buffer from UTF8MB4 to connection character set */
   if (!execute_buffer_conversion_done++ && status.line_buff &&

config.h.cmake

@@ -161,6 +161,7 @@
 #cmakedefine HAVE_ISINF 1
 
 #cmakedefine HAVE_KQUEUE 1
+#cmakedefine HAVE_SETNS 1
 #cmakedefine HAVE_KQUEUE_TIMERS 1
 #cmakedefine HAVE_POSIX_TIMERS 1
 

configure.cmake

@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0,
@@ -375,6 +375,19 @@ ENDIF()
 CHECK_FUNCTION_EXISTS (timer_create HAVE_TIMER_CREATE)
 CHECK_FUNCTION_EXISTS (timer_settime HAVE_TIMER_SETTIME)
 CHECK_FUNCTION_EXISTS (kqueue HAVE_KQUEUE)
+
+# Check whether the setns() API function supported by a target platform
+CHECK_C_SOURCE_RUNS("
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <sched.h>
+int main()
+{
+  (void)setns(0, 0);
+  return 0;
+}" HAVE_SETNS)
+
 CHECK_SYMBOL_EXISTS(EVFILT_TIMER "sys/types.h;sys/event.h;sys/time.h" HAVE_EVFILT_TIMER)
 IF(HAVE_KQUEUE AND HAVE_EVFILT_TIMER)
   SET(HAVE_KQUEUE_TIMERS 1 CACHE INTERNAL "Have kqueue timer-related filter")

include/violite.h

@@ -37,6 +37,8 @@
 #endif
 #include <sys/types.h>
 
+#include <string>
+
 #include "my_inttypes.h"
 #include "my_psi_config.h"  // IWYU pragma: keep
 #include "mysql/components/services/my_io_bits.h"
@@ -368,6 +370,12 @@ struct Vio {
   std::atomic_flag kevent_wakeup_flag = ATOMIC_FLAG_INIT;
 #endif
 
+#ifdef HAVE_SETNS
+  /**
+    Socket network namespace.
+  */
+  char network_namespace[256];
+#endif
   /*
      VIO vtable interface to be implemented by VIO's like SSL, Socket,
      Named Pipe, etc.

mysql-test/collections/disabled.def

@@ -78,3 +78,5 @@ rpl.rpl_multi_source_corrupt_repository   : Bug#28765425 Disabled until the bug
 
 # sysschema suite tests
 sysschema.v_wait_classes_global_by_avg_latency : BUG#21550054 Test fails too often.
+
+# x plugin suite tests

mysql-test/include/check-testcase.test

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
 #
 
 # ==== Purpose ====
@@ -86,6 +86,7 @@ if ($tmp) {
   --echo Master_TLS_Version	
   --echo Master_public_key_path	
   --echo Get_master_public_key	0
+  --echo Network_Namespace	
 }
 
 if (!$tmp) {

mysql-test/r/disabled_replication.result

@@ -1,5 +1,5 @@
 SHOW SLAVE STATUS;
-Slave_IO_State	Master_Host	Master_User	Master_Port	Connect_Retry	Master_Log_File	Read_Master_Log_Pos	Relay_Log_File	Relay_Log_Pos	Relay_Master_Log_File	Slave_IO_Running	Slave_SQL_Running	Replicate_Do_DB	Replicate_Ignore_DB	Replicate_Do_Table	Replicate_Ignore_Table	Replicate_Wild_Do_Table	Replicate_Wild_Ignore_Table	Last_Errno	Last_Error	Skip_Counter	Exec_Master_Log_Pos	Relay_Log_Space	Until_Condition	Until_Log_File	Until_Log_Pos	Master_SSL_Allowed	Master_SSL_CA_File	Master_SSL_CA_Path	Master_SSL_Cert	Master_SSL_Cipher	Master_SSL_Key	Seconds_Behind_Master	Master_SSL_Verify_Server_Cert	Last_IO_Errno	Last_IO_Error	Last_SQL_Errno	Last_SQL_Error	Replicate_Ignore_Server_Ids	Master_Server_Id	Master_UUID	Master_Info_File	SQL_Delay	SQL_Remaining_Delay	Slave_SQL_Running_State	Master_Retry_Count	Master_Bind	Last_IO_Error_Timestamp	Last_SQL_Error_Timestamp	Master_SSL_Crl	Master_SSL_Crlpath	Retrieved_Gtid_Set	Executed_Gtid_Set	Auto_Position	Replicate_Rewrite_DB	Channel_Name	Master_TLS_Version	Master_public_key_path	Get_master_public_key
+Slave_IO_State	Master_Host	Master_User	Master_Port	Connect_Retry	Master_Log_File	Read_Master_Log_Pos	Relay_Log_File	Relay_Log_Pos	Relay_Master_Log_File	Slave_IO_Running	Slave_SQL_Running	Replicate_Do_DB	Replicate_Ignore_DB	Replicate_Do_Table	Replicate_Ignore_Table	Replicate_Wild_Do_Table	Replicate_Wild_Ignore_Table	Last_Errno	Last_Error	Skip_Counter	Exec_Master_Log_Pos	Relay_Log_Space	Until_Condition	Until_Log_File	Until_Log_Pos	Master_SSL_Allowed	Master_SSL_CA_File	Master_SSL_CA_Path	Master_SSL_Cert	Master_SSL_Cipher	Master_SSL_Key	Seconds_Behind_Master	Master_SSL_Verify_Server_Cert	Last_IO_Errno	Last_IO_Error	Last_SQL_Errno	Last_SQL_Error	Replicate_Ignore_Server_Ids	Master_Server_Id	Master_UUID	Master_Info_File	SQL_Delay	SQL_Remaining_Delay	Slave_SQL_Running_State	Master_Retry_Count	Master_Bind	Last_IO_Error_Timestamp	Last_SQL_Error_Timestamp	Master_SSL_Crl	Master_SSL_Crlpath	Retrieved_Gtid_Set	Executed_Gtid_Set	Auto_Position	Replicate_Rewrite_DB	Channel_Name	Master_TLS_Version	Master_public_key_path	Get_master_public_key	Network_Namespace
 RESET SLAVE;
 ERROR HY000: Slave is not configured or failed to initialize properly. You must at least set --server-id to enable either a master or a slave. Additional error messages can be found in the MySQL error log.
 SHOW RELAYLOG EVENTS;

mysql-test/r/information_schema_keywords.result

@@ -375,6 +375,7 @@ NCHAR	0
 NDB	0
 NDBCLUSTER	0
 NESTED	0
+NETWORK_NAMESPACE	0
 NEVER	0
 NEW	0
 NEXT	0

mysql-test/r/mysqld--help-notwin.result

@@ -17,7 +17,16 @@ The following options may be given as the first argument:
  --admin-address=name 
  IP address to bind to for service connection. Address can
  be an IPv4 address, IPv6 address, or host name. Wildcard
- values *, ::, 0.0.0.0 are not allowed.
+ values *, ::, 0.0.0.0 are not allowed. Address value can
+ have following optional network namespace separated by
+ the delimiter / from the address value. E.g., the
+ following value 192.168.1.1/red specifies IP addresses to
+ listen for incoming TCP connections that have to be
+ placed into the namespace 'red'. Using of network
+ namespace requires its support from underlying Operating
+ System. Attempt to specify a network namespace for a
+ platform that doesn't support it results in error during
+ socket creation.
  --admin-port=#      Port number to use for service connection, built-in
  default (33062)
  --allow-suspicious-udfs 
@@ -55,6 +64,19 @@ The following options may be given as the first argument:
  name or one of the wildcard values *, ::, 0.0.0.0. In
  case more than one address is specified in a
  comma-separated list, wildcard values are not allowed.
+ Every address can have optional network namespace
+ separated by the delimiter / from the address value.
+ E.g., the following value
+ 192.168.1.1/red,172.16.1.1/green,193.168.1.1 specifies
+ three IP addresses to listen for incoming TCP connections
+ two of that have to be placed in corresponding
+ namespaces: the address 192.168.1.1 must be placed into
+ the namespace red and the address 172.16.1.1 must be
+ placed into the namespace green. Using of network
+ namespace requires its support from underlying Operating
+ System. Attempt to specify a network namespace for a
+ platform that doesn't support it results in error during
+ socket creation.
  --binlog-cache-size=# 
  The size of the transactional cache for updates to
  transactional engines for the binary log. If you often