allow switching of port-forward approaches when rootless using slirp4netns #6025
Conversation
openshift-ci-robot
added
the
needs-ok-to-test
|
Hi @aleks-mariusz. Thanks for your PR. I'm waiting for a containers member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aleks-mariusz The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @TomSweeneyRedHat |
| @@ -66,12 +66,9 @@ func (c *Container) validate() error { | |||
|
|
|||
| // Rootless has some requirements, compared to networks. | |||
| if rootless.IsRootless() { | |||
| if len(c.config.Networks) > 0 { | |||
| if !c.config.NetMode.IsSlirp4netns() && len(c.config.Networks) > 0 { | |||
There was a problem hiding this comment.
Why are we changing this? CNI networks will never be usable with rootless Podman's current network stack.
There was a problem hiding this comment.
I changed this because otherwise i cannot use the ":" character as a parameter to --net (when using rootless mode), this validation thinks i'm trying to join CNI networks which this validation prohibits when rootless.
If there's a better way to enable this functionality, please let me know.
|
@aleks-mariusz Thanks for the PR, You need to sign your commit. BTW Did this already get merged upstream in the master branch. |
pkg/namespaces/namespaces.go
Outdated
| return true // default type | ||
| } else { // below here, also contains(":") == true | ||
| parts := strings.SplitN(string(n), ":", 2) | ||
| return parts[1] == rlkFwdType |
There was a problem hiding this comment.
Need to verify that len(parts) == 2 else this could segfault
There was a problem hiding this comment.
just for my clarification, should i be checking if it's exactly length 2? or is the fact that this statement falls on the other side of the if statement else clause, where it definitely has to contain a ":" not sufficient?
aleks-mariusz
force-pushed
the
issues/5138
branch
from
876314a to
8674925
Compare
I updated the PR to add a sign-off at the end of the description, is that enough or do i need to amend the comment itself to include a sign-off as well?
I was asked to base this off v1.9 branch, so i create the PR against that as the source/target branch |
pkg/namespaces/namespaces.go
Outdated
| @@ -17,7 +17,9 @@ const ( | |||
| nsType = "ns" | |||
| podType = "pod" | |||
| privateType = "private" | |||
| rlkFwdType = "rootlessport" | |||
There was a problem hiding this comment.
rootlessport -> rootlesskit?
There was a problem hiding this comment.
this was the example parameter that @giuseppe used.. can change it if you want the parameter to look different
|
FYI this package has same interface as rootlessport and can be used for simplifying code https://github.com/rootless-containers/rootlesskit/blob/master/pkg/port/slirp4netns/slirp4netns.go |
sujil02
force-pushed
the
v1.9
branch
2 times, most recently
from
2f2d053 to
be44305
Compare
aleks-mariusz
force-pushed
the
issues/5138
branch
from
3a15821 to
1b75c78
Compare
|
Is this going to be |
|
I think it's a cleaner approach than trying to add further parsing to
We'll need a new field (probably map[string]string) in Container configuration to hold it, and we can check it during network setup; if not set, we just use the default or rootlesskit. |
would it be possible in future to have multiple networks? With separate flags it will be more difficult, while having a single |
|
I don't know - I don't think we have any ability to do that right now ( |
|
Well what about both:
So sample parameter of slirp4nets outbound address would be |
true but that will be an internal change, while now we are introducing a CLI change that will be difficult to change later.
it is possible to add multiple slirp4netns networks to the same container |
|
Would it be of any value to anyone else beside me if we perhaps also had an environment variable be handled in order to make this change take effect? I'm asking because the way i am launching podman, when/where i really need this source-ip preserved functionality is via podman-compose, which does not currently support any |
|
or libpod.conf? |
|
the config file approach is an interesting idea, i didn't even consider that.. but won't that mean that every container will in-effect be impacted/affected by the change if it's a global (or per user) level? is that desirable? TBH, i'm not a huge fan of the environment variable idea (it's a bit too easy to lose hours off debugging something where it turns out you set (or didn't set) an environment variable and forgot), but it was the most immediate thing that came into my mind that worked around pod definitions not supporting --network |
that can be used exactly in the case you want to change the default. For a single container, |
|
/usr/share/containers/containers.conf and /etc/containers/containers.conf are global. |
|
i can take a stab at adding the ability to choose between legacy slirp4netns and the new rootlesskit in containers.conf to this PR also, if folks are happy with what i have in here so far looks good.. also what should i name the parameter (presuming it'd go under the |
|
Maybe |
could it be |
There was a problem hiding this comment.
I'd prefer if the modes are an enum, so we can also check for invalid inputs:
But that is not blocking, we can either fix in a follow up PR, or I can take a look at it.
What is more important now is that we pick the correct flags. I suggest we have:
--network=slirp4netns:slirp_port_handler=slirplisten--network=slirp4netns:slirp_port_handler=rootlesskit
the config name must be the same as we agree for the config file.
You can just hardcode the slirp_port_handler= part inside of the rlkFwdType and slirpFwdType variables for now. What do you think? Does it make sense?
pkg/namespaces/namespaces.go
Outdated
| func (n NetworkMode) IsPortForwardViaRootlessKit() bool { | ||
| if !n.IsSlirp4netns() { | ||
| return false | ||
| } else { // below here, implied IsSlirp4netns() == true |
There was a problem hiding this comment.
you can drop the else since there is an early return in the first condition and move everything one level back.
pkg/namespaces/namespaces.go
Outdated
| func (n NetworkMode) IsPortForwardViaSlirpHostFwd() bool { | ||
| if !n.IsSlirp4netns() { | ||
| return false | ||
| } else { // below here, implied IsSlirp4netns() == true |
|
s/slirp_port_handler/port_handler/ because |
|
@aleks-mariusz ping |
|
@rhatdan Will try to look at giuseppe's review this weekend and maybe put the config file handling in as well |
aleks-mariusz
force-pushed
the
issues/5138
branch
from
1b75c78 to
c5cd8ff
Compare
|
@giuseppe i've added your review feedback to this PR now.. I'm going to hold off from trying to tackle the config file handling as i'm not quite sure how to this is handled (and may not be handled in this project but in containers/common ) Can you (or anyone) add the config file handling to this PR please (or guide me how to) |
I think we can tackle that separately as another PR. The new code LGTM, could you just fix the golint issues reported here: https://github.com/containers/libpod/pull/6025/checks?check_run_id=660593109 ? |
aleks-mariusz
force-pushed
the
issues/5138
branch
2 times, most recently
from
d4c36fd to
f3974be
Compare
|
I think the next two patches change code introduced by the first one, can you please squash the patches in one? After that, I think it is ready to go |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
…netns As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue containers#5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx>
aleks-mariusz
force-pushed
the
issues/5138
branch
from
f3974be to
41044b2
Compare
|
my fault - works fine thanks! |
|
@giuseppe is there anything else needed to merge this? i would really like the config file support to be written as well as even this is a bit cumbersome to have to use and being able to use a config file would be a preferable/more global change please |
|
it looks fine, thanks. Can you also open a PR for master? I'd like that the feature goes first in master, and then in 1.9 |
|
A friendly reminder that this PR had no activity for 30 days. |
|
implemented w/ Giuseppe's help via #6965 |
github-actions
bot
added
the
locked - please file new issue/PR
As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138).
This commit allows a user to specify if they want to revert to the previous approach
of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance,
restores usefulness of seeing incoming traffic origin IP addresses.
The change should be transparent; when not specified, rootlessport will continue to be
used, however if specifying
--net slirp4netns:slirplistenthe old approach will be used.Testing performed in rootless mode of relevant functionality:
Default behaviour scenario 1 (nothing specified, so not taking advantage of this commit original behaviour (higher performance rootlessport in use))
Default behaviour scenario 2 (specifying just --net slirp4netns, which is default when in rootless mode)
Restored (old, pre-1.8.0) behaviour, where source IP show true origin of port-forwarded traffic.
Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows:
socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere.Signed-off-by: Aleks Mariusz <m.k@alek.cx>