networking: lookup child IP in networks

if a CNI network is added to the container, use the IP address in that network instead of hard-coding the slirp4netns default. commit 5e65f0ba30 introduced this regression. Closes: https://github.com/containers/podman/issues/9065 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2021-01-22 13:54:24 +01:00 · 2021-01-22 13:54:24 +01:00 · 0ba1942f26
parent 6cef7c78dd
commit 0ba1942f26
2 changed files with 35 additions and 1 deletions
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@ -550,13 +550,25 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
 		}
 	}

+	childIP := slirp4netnsIP
+outer:
+	for _, r := range ctr.state.NetworkStatus {
+		for _, i := range r.IPs {
+			ipv4 := i.Address.IP.To4()
+			if ipv4 != nil {
+				childIP = ipv4.String()
+				break outer
+			}
+		}
+	}
+
 	cfg := rootlessport.Config{
 		Mappings:  ctr.config.PortMappings,
 		NetNSPath: netnsPath,
 		ExitFD:    3,
 		ReadyFD:   4,
 		TmpDir:    ctr.runtime.config.Engine.TmpDir,
-		ChildIP:   slirp4netnsIP,
+		ChildIP:   childIP,
 	}
 	cfgJSON, err := json.Marshal(cfg)
 	if err != nil {
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@ -98,6 +98,7 @@ load helpers
 # "network create" now works rootless, with the help of a special container
@test "podman network create" {
    skip_if_remote "FIXME: pending #7808"
+    myport=54322

    local mynetname=testnet-$(random_string 10)
    local mysubnet=$(random_rfc1918_subnet)
@ -115,6 +116,27 @@ load helpers
    is "$output" ".* inet ${mysubnet}\.2/24 brd ${mysubnet}\.255 " \
       "sdfsdf"

+    run_podman run --rm -d --network $mynetname -p 127.0.0.1:$myport:$myport \
+               $IMAGE nc -l -n -v -p $myport
+    cid="$output"
+
+    # emit random string, and check it
+    teststring=$(random_string 30)
+    echo "$teststring" | nc 127.0.0.1 $myport
+
+    run_podman logs $cid
+    # Sigh. We can't check line-by-line, because 'nc' output order is
+    # unreliable. We usually get the 'connect to' line before the random
+    # string, but sometimes we get it after. So, just do substring checks.
+    is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
+
+    # This is the truly important check: make sure the remote IP is
+    # in the 172.X range, not 127.X.
+    is "$output" \
+       ".*connect to \[::ffff:172\..*\]:$myport from \[::ffff:172\..*\]:.*" \
+       "nc -v shows remote IP address in 172.X space (not 127.0.0.1)"
+    is "$output" ".*${teststring}.*" "test string received on container"
+
    # Cannot create network with the same name
    run_podman 125 network create $mynetname
    is "$output" "Error: the network name $mynetname is already used" \