containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rootlessport: set source IP to slirp4netns device 

set the source IP to the slirp4netns address instead of 127.0.0.1 when
using rootlesskit.

Closes: https://github.com/containers/podman/issues/5138

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2021-01-21 14:59:39 +01:00
parent 37319dec17
commit 5e65f0ba30
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
3 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libpod/networking_linux.go
View File

@ -547,6 +547,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
ExitFD: 3, ExitFD: 3,
ReadyFD: 4, ReadyFD: 4,
TmpDir: ctr.runtime.config.Engine.TmpDir, TmpDir: ctr.runtime.config.Engine.TmpDir,
ChildIP: "10.0.2.100",
} }
cfgJSON, err := json.Marshal(cfg) cfgJSON, err := json.Marshal(cfg)
if err != nil { if err != nil {

6
pkg/rootlessport/rootlessport_linux.go
View File

@ -48,6 +48,7 @@ type Config struct {
ExitFD int ExitFD int
ReadyFD int ReadyFD int
TmpDir string TmpDir string
ChildIP string
} }
func init() { func init() {
@ -227,7 +228,7 @@ outer:
// let parent expose ports // let parent expose ports
logrus.Infof("exposing ports %v", cfg.Mappings) logrus.Infof("exposing ports %v", cfg.Mappings)
if err := exposePorts(driver, cfg.Mappings); err != nil { if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil {
return err return err
} }
@ -248,7 +249,7 @@ outer:
return nil return nil
} }
func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error { func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error {
ctx := context.TODO() ctx := context.TODO()
for _, i := range portMappings { for _, i := range portMappings {
hostIP := i.HostIP hostIP := i.HostIP
@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
ParentIP: hostIP, ParentIP: hostIP,
ParentPort: int(i.HostPort), ParentPort: int(i.HostPort),
ChildPort: int(i.ContainerPort), ChildPort: int(i.ContainerPort),
ChildIP: childIP,
} }
if err := rkportutil.ValidatePortSpec(spec, nil); err != nil { if err := rkportutil.ValidatePortSpec(spec, nil); err != nil {
return err return err

19
test/system/500-networking.bats
View File

@ -65,8 +65,13 @@ load helpers
myport=54321 myport=54321
# Container will exit as soon as 'nc' receives input # Container will exit as soon as 'nc' receives input
# We use '-n -v' to give us log messages showing an incoming connection
# and its IP address; the purpose of that is guaranteeing that the
# remote IP is not 127.0.0.1 (podman PR #9052).
# We could get more parseable output by using $NCAT_REMOTE_ADDR,
# but busybox nc doesn't support that.
run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \ run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
$IMAGE nc -l -p $myport $IMAGE nc -l -n -v -p $myport
cid="$output" cid="$output"
# emit random string, and check it # emit random string, and check it
@ -74,7 +79,17 @@ load helpers
echo "$teststring" | nc 127.0.0.1 $myport echo "$teststring" | nc 127.0.0.1 $myport
run_podman logs $cid run_podman logs $cid
is "$output" "$teststring" "test string received on container" # Sigh. We can't check line-by-line, because 'nc' output order is
# unreliable. We usually get the 'connect to' line before the random
# string, but sometimes we get it after. So, just do substring checks.
is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
# This is the truly important check: make sure the remote IP is
# in the 10.X range, not 127.X.
is "$output" \
".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \
"nc -v shows remote IP address in 10.X space (not 127.0.0.1)"
is "$output" ".*${teststring}.*" "test string received on container"
# Clean up # Clean up
run_podman rm $cid run_podman rm $cid