refactor

Signed-off-by: Rui Yang <ruiya@vmware.com>
jdziat · Mar 24, 2023 · a867658 · a867658
1 parent bd0ad56
commit a867658
Showing 1 changed file with 26 additions and 35 deletions.
diff --git a/atc/worker/gardenruntime/worker.go b/atc/worker/gardenruntime/worker.go
@@ -207,19 +207,33 @@ func (worker *Worker) createGardenContainer(
 
 	logger.Debug("creating-garden-container")
 
-	gardenContainer, err := worker.gardenClient.Create(
-		garden.ContainerSpec{
-			Handle:     creatingContainer.Handle(),
-			RootFSPath: fetchedImage.URL,
-			Privileged: fetchedImage.Privileged,
-			BindMounts: bindMounts,
-			Limits:     toGardenLimits(containerSpec.Limits),
-			Env:        worker.containerEnv(containerSpec, fetchedImage),
-			Properties: garden.Properties{
-				userPropertyName: fetchedImage.Metadata.User,
+	gdnSpec := garden.ContainerSpec{
+		Handle:     creatingContainer.Handle(),
+		RootFSPath: fetchedImage.URL,
+		Privileged: fetchedImage.Privileged,
+		BindMounts: bindMounts,
+		Limits:     toGardenLimits(containerSpec.Limits),
+		Env:        worker.containerEnv(containerSpec, fetchedImage),
+		Properties: garden.Properties{
+			userPropertyName: fetchedImage.Metadata.User,
+		},
+	}
+
+	// By default set NetOutRule to whitelist all range of IPs
+	// otherwise leave NetOutRule to nil so worker runtime knows nothing is allowed
+	// to reach outside
+	if !containerSpec.Hermetic {
+		gdnSpec.NetOut = []garden.NetOutRule{{
+			Networks: []garden.IPRange{
+				{
+					Start: net.ParseIP("0.0.0.0"),
+					End:   net.ParseIP("255.255.255.255"),
+				},
 			},
-			NetOut: worker.getNetOut(containerSpec.Hermetic),
-		})
+		}}
+	}
+
+	gardenContainer, err := worker.gardenClient.Create(gdnSpec)
 	if err != nil {
 		logger.Error("failed-to-create-container-in-garden", err)
 		markContainerAsFailed(logger, creatingContainer)
@@ -239,7 +253,6 @@ func (worker *Worker) containerEnv(containerSpec runtime.ContainerSpec, fetchedI
 	if worker.dbWorker.HTTPSProxyURL() != "" {
 		env = append(env, fmt.Sprintf("https_proxy=%s", worker.dbWorker.HTTPSProxyURL()))
 	}
-
 	if worker.dbWorker.NoProxy() != "" {
 		env = append(env, fmt.Sprintf("no_proxy=%s", worker.dbWorker.NoProxy()))
 	}
@@ -597,28 +610,6 @@ func (worker *Worker) getBindMounts(ctx context.Context, volumeMounts []runtime.
 	return bindMounts, nil
 }
 
-// All outgoing network traffic will be dropped during runtime
-// depends on if NetOutRul is set
-func (worker *Worker) getNetOut(hermetic bool) []garden.NetOutRule {
-	// set NetOutRule to nil so worker runtime knows nothing is allowed
-	// to reach outside
-	if hermetic {
-		return nil
-	}
-
-	// set NetOutRule to whitelist all range of IPs
-	return []garden.NetOutRule{
-		{
-			Networks: []garden.IPRange{
-				{
-					Start: net.ParseIP("0.0.0.0"),
-					End:   net.ParseIP("255.255.255.255"),
-				},
-			},
-		},
-	}
-}
-
 func anyMountTo(path string, volumeMounts []runtime.VolumeMount) bool {
 	for _, mnt := range volumeMounts {
 		if filepath.Clean(mnt.MountPath) == filepath.Clean(path) {