-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[rootless] slirp4netns w/ --disable-host-loopback: host initiated udp communication container <-> host impossible #4586
Comments
I think Podman should ditch slirp4netns port forwarder and use RootlessKit port forwarder as in Rootless Docker. The RootlessKit port forwarder can be imported as a Go package: https://github.com/rootless-containers/rootlesskit/blob/master/pkg/port/builtin/builtin.go |
I'll try to open PR. |
Thanks for your great effort and taking the time! I tried your patch locally, and unfortunately for me, it does not change anything. The behavior is still the same -- except that slirp4netns is no longer used. But udp communication works only from host to container. conntrack also clearly shows an entry but never receives a reply. Is there anything I need to configure or change for this work? |
Thanks for testing, seems we need to specify local addr explicitly in this dialer? |
hmm, local addr is already set to 127.0.0.1 as expected, but UDP reply seems not forwarded |
I'm wondering. Would that be possible maybe in the future to support packet filtering per container with rootlesskit for outgoing traffic? For example it would be useful if one container can access internet, while other containers can't on the same host. With rootful container is just attaching device and forward iptables, i wonder if it's even worth considering supporting a such feature for rootkit. |
You can already run iptables in rootlesskit (Not rootkit! 😄 ) |
you can also limit container network access in a variety of other methods including setting up cni networks that do not forward past the host. |
@AkihiroSuda |
@baude |
I don't believe you can. We explicitly do not initialize CNI as rootless because it requires too many permissions to use. |
Indeed. It failed. I believe the only way to filter in the userspace is by implementing some sort of tcp/udp filter. |
RootlessKit port forwarder has a lot of advantages over the slirp4netns port forwarder: * Very high throughput. Benchmark result on Travis: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps (https://travis-ci.org/rootless-containers/rootlesskit/builds/597056377) * Connections from the host are treated as 127.0.0.1 rather than 10.0.2.2 in the namespace. No UDP issue (containers#4586) * No tcp_rmem issue (containers#4537) * Probably works with IPv6. Even if not, it is trivial to support IPv6. (containers#4311) * Easily extensible for future support of SCTP * Easily extensible for future support of `lxc-user-nic` SUID network RootlessKit port forwarder has been already adopted as the default port forwarder by Rootless Docker/Moby, and no issue has been reported AFAIK. As the port forwarder is imported as a Go package, no `rootlesskit` binary is required for Podman. Fix containers#4586 May-fix containers#4559 Fix containers#4537 May-fix containers#4311 See https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/pkg/port/builtin/builtin.go Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Running a UDP-based daemon in a rootless container, makes the daemon essentially useless to the host since communication is one-way (host -> container) because no UDP packets from the container will be delivered to the host due to "--disable-host-loopback" being set for slirp4netns. There is no connection tracking or any kind of differentiation happening within libslirp, it will simply not translate the container address to a proper host address (
socket.c: sotranslate_out
) if said option is being set.Steps to reproduce the issue:
run a rootless container with dnsmasq (mapping ports appropriately)
send a dns request to the container from the host
Describe the results you received:
The request is received and processed on the container but the reply never reaches the host.
Describe the results you expected:
The reply should be received on the host.
Additional information you deem important (e.g. issue happens only occasionally):
An even easier way to reproduce the problem is by simply running netcat on both the container and host with the container listening on e.g. port 53 (udp). Using netcat to communicate with the container from the host, all msgs from the host will be received on the container but not vice-versa.
Output of
podman version
:Output of
podman info --debug
:The text was updated successfully, but these errors were encountered: