-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for publishing ports #40
Comments
A better solution would be a bridge network for each VM that listens on all ports. Perhaps we connect to the existing docker bridge? |
Looking at the current implementation, the best option IMO, is to add a small
This works because the tun-tap interfaces are available on the hostOS already, so a haproxy service running with host networking, will be able to proxy to these. We'll just need to set well known subnets, since random won't work with static haproxy config (unless we pipe it through .. outside of the MVP scope, for multiple VMs, we would expand to multiple frontend listeners (e.g. .. for dynamic service discovery, we can implement a solution with haproxy + firecracker API. Fir example, running a supervisor process polling local firecracker APIs and updating HAProxy backends using its socket (mapped into each jailer container). |
@ab77 how is docker able to forward traffic from a public interface to an address on the docker bridge using only iptables and routes? I was hoping we could solve it in a similar way, even if we hardcode a bunch of it initially. |
Using a tcp proxy. Using iptables dynamically is much more complicated, messy and we should avoid it. |
I ask because we already add and remove rules as part of the TAP device creation so it seemed like a logical place to add some additional port rules and remain part of the overlay vs a separate sidecar app. |
Let's create a builder deployment first with both containerised and VM builders (lets start with amd64), deploy to staging and figure out the approach there. |
I have another idea for this that solves multiple related problems. We can
discuss when I’m back, so don’t spend too much time on it for now.
*—*
*Kyle Harding*
Embedded Linux Engineer, balena.io
…On Thu, Feb 22, 2024 at 5:54 PM Anton Belodedenko ***@***.***> wrote:
WIP: balena-io/remote-workers#180
<balena-io/remote-workers#180>
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE4CWIFGOXKE3N3PPFS5TYLYU7EBNAVCNFSM6AAAAABANDNOSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRQGQ3DSOBRGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
The host container is already running in host networking mode in order to create the TUN/TAP device, we just need to accept some port ranges via (env vars?) and create the required IP tables rules similar to how Docker would do.
The text was updated successfully, but these errors were encountered: