summaryrefslogtreecommitdiff
path: root/libpod/networking_linux.go
Commit message (Collapse)AuthorAge
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Make `podman stats` slirp check more robustMatthew Heon2020-12-08
| | | | | | | | | | | Just checking for `rootless.IsRootless()` does not catch all the cases where slirp4netns is in use - we actually allow it to be used as root as well. Fortify the conditional here so we don't fail in the root + slirp case. Fixes #7883 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8571 from Luap99/podman-network-reloadOpenShift Merge Robot2020-12-08
|\ | | | | Implement pod-network-reload
| * Implement pod-network-reloadMatthew Heon2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new command, 'podman network reload', to reload the networks of existing containers, forcing recreation of firewall rules after e.g. `firewall-cmd --reload` wipes them out. Under the hood, this works by calling CNI to tear down the existing network, then recreate it using identical settings. We request that CNI preserve the old IP and MAC address in most cases (where the container only had 1 IP/MAC), but there will be some downtime inherent to the teardown/bring-up approach. The architecture of CNI doesn't really make doing this without downtime easy (or maybe even possible...). At present, this only works for root Podman, and only locally. I don't think there is much of a point to adding remote support (this is very much a local debugging command), but I think adding rootless support (to kill/recreate slirp4netns) could be valuable. Signed-off-by: Matthew Heon <matthew.heon@pm.me> Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Add ability to set system wide options for slirp4netnsAshley Cui2020-12-04
|/ | | | | | Wire in containers.conf options for slirp Signed-off-by: Ashley Cui <acui@redhat.com>
* network connect disconnect on non-running containersbaude2020-11-30
| | | | | | | a container can connect and disconnet to networks even when not in a running state. Signed-off-by: baude <bbaude@redhat.com>
* update container status with new resultsbaude2020-11-23
| | | | | | | | | a bug was being caused by the fact that the container network results were not being updated properly. given that jhon is on PTO, this PR will replace #8362 Signed-off-by: baude <bbaude@redhat.com>
* Refactor compat container create endpointJhon Honce2020-11-23
| | | | | | | | | | | | * Make endpoint compatibile with docker-py network expectations * Update specgen helper when called from compat endpoint * Update godoc on types * Add test for network/container create using docker-py method * Add syslog logging when DEBUG=1 for tests Fixes #8361 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Make c.networks() list include the default networkMatthew Heon2020-11-20
| | | | | | | | | | | | | | This makes things a lot more clear - if we are actually joining a CNI network, we are guaranteed to get a non-zero length list of networks. We do, however, need to know if the network we are joining is the default network for inspecting containers as it determines how we populate the response struct. To handle this, add a bool to indicate that the network listed was the default network, and only the default network. Signed-off-by: Matthew Heon <mheon@redhat.com>
* add network connect|disconnect compat endpointsbaude2020-11-19
| | | | | | | | | | | this enables the ability to connect and disconnect a container from a given network. it is only for the compatibility layer. some code had to be refactored to avoid circular imports. additionally, tests are being deferred temporarily due to some incompatibility/bug in either docker-py or our stack. Signed-off-by: baude <bbaude@redhat.com>
* add network connect|disconnect compat endpointsbaude2020-11-17
| | | | | | | | | | | this enables the ability to connect and disconnect a container from a given network. it is only for the compatibility layer. some code had to be refactored to avoid circular imports. additionally, tests are being deferred temporarily due to some incompatibility/bug in either docker-py or our stack. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #8304 from rhatdan/errorOpenShift Merge Robot2020-11-12
|\ | | | | Cleanup error reporting
| * Cleanup error reportingDaniel J Walsh2020-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The error message reported is overlay complicated and the added test does not really help the user. Currently the error looks like: podman run -p 80:80 fedora echo hello Error: failed to expose ports via rootlessport: "cannot expose privileged port 80, you might need to add "net.ipv4.ip_unprivileged_port_start=0" (currently 1024) to /etc/sysctl.conf, or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied\n" After this change ./bin/podman run -p 80:80 fedora echo hello Error: cannot expose privileged port 80, you might need to add "net.ipv4.ip_unprivileged_port_start=0" (currently 1024) to /etc/sysctl.conf, or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied Control chars have been eliminated. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add support for network connect / disconnect to DBMatthew Heon2020-11-11
|/ | | | | | | | | | | | | | | | | | | | | | | | Convert the existing network aliases set/remove code to network connect and disconnect. We can no longer modify aliases for an existing network, but we can add and remove entire networks. As part of this, we need to add a new function to retrieve current aliases the container is connected to (we had a table for this as of the first aliases PR, but it was not externally exposed). At the same time, remove all deconflicting logic for aliases. Docker does absolutely no checks of this nature, and allows two containers to have the same aliases, aliases that conflict with container names, etc - it's just left to DNS to return all the IP addresses, and presumably we round-robin from there? Most tests for the existing code had to be removed because of this. Convert all uses of the old container config.Networks field, which previously included all networks in the container, to use the new DB table. This ensures we actually get an up-to-date list of in-use networks. Also, add network aliases to the output of `podman inspect`. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* network aliases for container creationbaude2020-11-09
| | | | | | | | podman can now support adding network aliases when running containers (--network-alias). It requires an updated dnsname plugin as well as an updated ocicni to work properly. Signed-off-by: baude <bbaude@redhat.com>
* Fix dnsname when joining a different network namespace in a podPaul Holzinger2020-10-30
| | | | | | | | | | When creating a container in a pod the podname was always set as the dns entry. This is incorrect when the container is not part of the pods network namespace. This happend both rootful and rootless. To fix this check if we are part of the pods network namespace and if not use the container name as dns entry. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7772 from TomSweeneyRedHat/dev/tsweeney/splitnOpenShift Merge Robot2020-10-21
|\ | | | | Convert Split() calls with an equal sign to SplitN()
| * Convert Split() calls with an equal sign to SplitN()TomSweeneyRedHat2020-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After seeing #7759, I decided to look at the calls in Podman and Buildah to see if we had issues with strings.Split() calls where an "=" (equals) sign was in play and we expected to split on only the first one. There were only one or two that I found in here that I think might have been troubling, the remainder are just adding some extra safety. I also had another half dozen or so that were checking length expectations appropriately, those I left alone. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Retrieve network inspect info from dependency containerMatthew Heon2020-10-20
|/ | | | | | | | | | | | | When a container either joins a pod that shares the network namespace or uses `--net=container:` to share the network namespace of another container, it does not have its own copy of the CNI results used to generate `podman inspect` output. As such, to inspect these containers, we should be going to the container we share the namespace with for network info. Fixes #8073 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Include CNI networks in inspect output when not runningMatthew Heon2020-10-09
| | | | | | | | | | | We were only including the CNI Network fields in the output of `podman inspect` when the container was not running. It's simple enough to fix (populate with empty structs, since we can't fill anything without a CNI response to get IP address assigned, etc). This is necessary for Docker compatibility. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
| | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Add support for setting the CIDR when using slirp4netnsAdis Hamzić2020-08-12
| | | | | | | | This adds support for the --cidr parameter that is supported by slirp4netns since v0.3.0. This allows the user to change the ip range that is used for the network inside the container. Signed-off-by: Adis Hamzić <adis@hamzadis.com>
* changes to support outbound-addr5eraph2020-08-07
| | | | | | Fixes #6064 Signed-off-by: Bohumil Cervenka <5eraph@protonmail.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ | | | | allow switching of port-forward approaches in rootless/using slirp4netns
| * network, slirp4netns: add option to allow host loopbackGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | Closes: https://github.com/containers/podman/issues/6912 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * allow switching of port-forward approaches in rootless/using slirp4netnsaleks-mariusz2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Include infra container information in `pod inspect`Matthew Heon2020-07-14
|/ | | | | | | | | | We had a field for this in the inspect data, but it was never being populated. Because of this, `podman pod inspect` stopped showing port bindings (and other infra container settings). Add code to populate the infra container inspect data, and add a test to ensure we don't regress again. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Remove all instances of named return "err" from LibpodMatthew Heon2020-07-09
| | | | | | | | | | | | | | | | | This was inspired by https://github.com/cri-o/cri-o/pull/3934 and much of the logic for it is contained there. However, in brief, a named return called "err" can cause lots of code confusion and encourages using the wrong err variable in defer statements, which can make them work incorrectly. Using a separate name which is not used elsewhere makes it very clear what the defer should be doing. As part of this, remove a large number of named returns that were not used anywhere. Most of them were once needed, but are no longer necessary after previous refactors (but were accidentally retained). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Reformat inspect network settingsQi Wang2020-06-23
| | | | | | Reformat ports of inspect network settings to compatible with docker inspect. Close #5380 Signed-off-by: Qi Wang <qiwan@redhat.com>
* Properly follow linked namespace container for statsMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | Podman containers can specify that they get their network namespace from another container. This is automatic in pods, but any container can do it. The problem is that these containers are not guaranteed to have a network namespace of their own; it is perfectly valid to join the network namespace of a --net=host container, and both containers will end up in the host namespace. The code for obtaining network stats did not account for this, and could cause segfaults as a result. Fortunately, the fix is simple - the function we use to get said stats already performs appropriate checks, so we just need to recursively call it. Fixes #5652 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* If possible use the pod name when creating a networkAlban Bedel2020-04-03
| | | | | | | | | | | | | | | When creating a network we pass down a name which end up in the K8S_POD_NAME argument to cni plugins. Currently this name is always filled with the container name, so for pods it is the name of the infra container, not really what one would expect. This mess up with the dnsname plugin as it doesn't receive the pod name in K8S_POD_NAME. To fix this pass the pod name when the container is part of a pod, otherwise use the container name like before. Signed-off-by: Alban Bedel <albeu@free.fr> --- v2: Only call GetPod() when a pod id is set
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podmanv2 container inspectBrent Baude2020-03-26
| | | | | | add ability to inspect a container Signed-off-by: Brent Baude <bbaude@redhat.com>
* slirp: enable seccomp filterGiuseppe Scrivano2020-03-26
| | | | | | | add a check for --enable-seccomp support in slirp4netns. If it is supported, always enable it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Attempt manual removal of CNI IP allocations on refreshMatthew Heon2020-03-19
| | | | | | | | | | | | | | We previously attempted to work within CNI to do this, without success. So let's do it manually, instead. We know where the files should live, so we can remove them ourselves instead. This solves issues around sudden reboots where containers do not have time to fully tear themselves down, and leave IP address allocations which, for various reasons, are not stored in tmpfs and persist through reboot. Fixes #5433 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* vendor: update github.com/containernetworking/cni to ↵Dan Williams2020-03-06
| | | | | | | | | | | | | | v0.7.2-0.20200304161608-4fae32b84921 Specifically to get: https://github.com/containernetworking/cni/pull/735 6f29b0165883b2b52ccd4dcb937162ea4c86927b intercept netplugin std err But also pulls in some interface name validation and a compatibility fix for configurations that don't set a CNI version. Signed-off-by: Dan Williams <dcbw@redhat.com>
* Add support for multiple CNI networks in podman inspectMatthew Heon2020-02-25
| | | | | | | | | | | | | | | | When inspecting containers, info on CNI networks added to the container by name (e.g. --net=name1) should be displayed separately from the configuration of the default network, in a separate map called Networks. This patch adds this separation, improving our Docker compatibility and also adding the ability to see if a container has more than one IPv4 and IPv6 address and more than one MAC address. Fixes #4907 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: fix a regression when using -dGiuseppe Scrivano2020-02-18
| | | | | | | | | | | | when using -d and port mapping, make sure the correct fd is injected into conmon. Move the pipe creation earlier as the fd must be known at the time we create the container through conmon. Closes: https://github.com/containers/libpod/issues/5167 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4853 from mheon/do_not_configure_with_slirpOpenShift Merge Robot2020-01-13
|\ | | | | Do not configure CNI when slirp4netns is requested
| * Do not configure CNI when slirp4netns is requestedMatthew Heon2020-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | Our networking code bakes in a lot of assumptions about how networking should work - that CNI is *always* used with root, and that slirp4netns is *always* used only with rootless. These are not safe assumptions. This fixes one particular issue, which would cause CNI to also be run when slirp4netns was requested as root. Fixes: #4687 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Add codespell to validate spelling mistakes in code.Daniel J Walsh2020-01-11
|/ | | | | | Fix all errors found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootlessport: honor ctr.runtime.config.TmpDirAkihiro Suda2020-01-09
| | | | | | Previously, rootlessport was using /var/tmp as the tmp dir. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* rootless: use RootlessKit port forwarderAkihiro Suda2020-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RootlessKit port forwarder has a lot of advantages over the slirp4netns port forwarder: * Very high throughput. Benchmark result on Travis: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps (https://travis-ci.org/rootless-containers/rootlesskit/builds/597056377) * Connections from the host are treated as 127.0.0.1 rather than 10.0.2.2 in the namespace. No UDP issue (#4586) * No tcp_rmem issue (#4537) * Probably works with IPv6. Even if not, it is trivial to support IPv6. (#4311) * Easily extensible for future support of SCTP * Easily extensible for future support of `lxc-user-nic` SUID network RootlessKit port forwarder has been already adopted as the default port forwarder by Rootless Docker/Moby, and no issue has been reported AFAIK. As the port forwarder is imported as a Go package, no `rootlesskit` binary is required for Podman. Fix #4586 May-fix #4559 Fix #4537 May-fix #4311 See https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/pkg/port/builtin/builtin.go Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Allow --ip and --mac to be set when joining a CNI netMatthew Heon2019-11-26
| | | | | | | | | | These only conflict when joining more than one network. We can still set a single CNI network and set a static IP and/or static MAC. Fixes #4500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* vendor: updated ocicni for MAC addressJakub Filak2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `go get github.com/cri-o/ocicni@deac903fd99b6c52d781c9f42b8db3af7dcfd00a` I had to fix compilation errors in libpod/networking_linux.go --- ocicni.Networks has changed from string to the structure NetAttachment with the member Name (the former string value) and the member Ifname (optional). I don't think we can make use of Ifname here, so I just map the array of structures to array of strings - e.g. dropping Ifname. --- The function GetPodNetworkStatus no longer returns Result but it returns the wrapper structure NetResult which contains the former Result plus NetAttachment (Network name and Interface name). Again, I don't think we can make use of that information here, so I just added `.Result` to fix the build. --- Issue: #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>