summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2021-01-21 14:59:39 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2021-01-22 08:08:26 +0100
commit5e65f0ba30f3fca73f8c207825632afef08378c1 (patch)
treee9236d523b5c333d97125c0c8071fe751f90996f
parent37319dec1771aaa9764c81359f439e862f45d8e1 (diff)
downloadpodman-5e65f0ba30f3fca73f8c207825632afef08378c1.tar.gz
podman-5e65f0ba30f3fca73f8c207825632afef08378c1.tar.bz2
podman-5e65f0ba30f3fca73f8c207825632afef08378c1.zip
rootlessport: set source IP to slirp4netns device
set the source IP to the slirp4netns address instead of 127.0.0.1 when using rootlesskit. Closes: https://github.com/containers/podman/issues/5138 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--libpod/networking_linux.go1
-rw-r--r--pkg/rootlessport/rootlessport_linux.go6
-rw-r--r--test/system/500-networking.bats19
3 files changed, 22 insertions, 4 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index addf1814c..6f56d2f8f 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -547,6 +547,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
ExitFD: 3,
ReadyFD: 4,
TmpDir: ctr.runtime.config.Engine.TmpDir,
+ ChildIP: "10.0.2.100",
}
cfgJSON, err := json.Marshal(cfg)
if err != nil {
diff --git a/pkg/rootlessport/rootlessport_linux.go b/pkg/rootlessport/rootlessport_linux.go
index c686d80fc..80e1309a5 100644
--- a/pkg/rootlessport/rootlessport_linux.go
+++ b/pkg/rootlessport/rootlessport_linux.go
@@ -48,6 +48,7 @@ type Config struct {
ExitFD int
ReadyFD int
TmpDir string
+ ChildIP string
}
func init() {
@@ -227,7 +228,7 @@ outer:
// let parent expose ports
logrus.Infof("exposing ports %v", cfg.Mappings)
- if err := exposePorts(driver, cfg.Mappings); err != nil {
+ if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil {
return err
}
@@ -248,7 +249,7 @@ outer:
return nil
}
-func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
+func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error {
ctx := context.TODO()
for _, i := range portMappings {
hostIP := i.HostIP
@@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
ParentIP: hostIP,
ParentPort: int(i.HostPort),
ChildPort: int(i.ContainerPort),
+ ChildIP: childIP,
}
if err := rkportutil.ValidatePortSpec(spec, nil); err != nil {
return err
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index a824ebcd7..bcc6737b7 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -65,8 +65,13 @@ load helpers
myport=54321
# Container will exit as soon as 'nc' receives input
+ # We use '-n -v' to give us log messages showing an incoming connection
+ # and its IP address; the purpose of that is guaranteeing that the
+ # remote IP is not 127.0.0.1 (podman PR #9052).
+ # We could get more parseable output by using $NCAT_REMOTE_ADDR,
+ # but busybox nc doesn't support that.
run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
- $IMAGE nc -l -p $myport
+ $IMAGE nc -l -n -v -p $myport
cid="$output"
# emit random string, and check it
@@ -74,7 +79,17 @@ load helpers
echo "$teststring" | nc 127.0.0.1 $myport
run_podman logs $cid
- is "$output" "$teststring" "test string received on container"
+ # Sigh. We can't check line-by-line, because 'nc' output order is
+ # unreliable. We usually get the 'connect to' line before the random
+ # string, but sometimes we get it after. So, just do substring checks.
+ is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
+
+ # This is the truly important check: make sure the remote IP is
+ # in the 10.X range, not 127.X.
+ is "$output" \
+ ".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \
+ "nc -v shows remote IP address in 10.X space (not 127.0.0.1)"
+ is "$output" ".*${teststring}.*" "test string received on container"
# Clean up
run_podman rm $cid