Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document that source IP for rootless containers is always 10.0.2.100 and slirp4netns workaround with it's (dis)advantages #10884

Closed
rugk opened this issue Jul 8, 2021 · 9 comments · Fixed by #11177
Closed

Document that source IP for rootless containers is always 10.0.2.100 and slirp4netns workaround with it's (dis)advantages #10884

rugk opened this issue Jul 8, 2021 · 9 comments · Fixed by #11177
Labels
documentation Issue or fix is in project documentation locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless slirp4netns Bug is in slirp4netns

Comments

@rugk
Copy link
Contributor

rugk commented Jul 8, 2021
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind documentation
(?)

Problem

I had a curious "problem" with the webserver caddy, where each source IP was always 10.0.2.100. I could trace it back to podman being the obvious fault, because it's the "inside of container" vs "outside of container" view… 🙃
In the end, I solved this by switching to host networking…

Later I noticed this comment by @AkihiroSuda:

Also it should be documented that apps will always see 10.0.2.100 (or CNI IP) as the source address.

#9052 (comment)

Documentation

Searching the docs it seems that this comment was forgotten and nothing was actually documented.

As such, here is an issue to document the fact that this happens and explain the workaround/solution in this case (which AFAIK are either using rootfull containers or host networking as I did).
Edit: or… --network slirp4netns:port_handler=slirp4netns, apparently, as I was made ware, ref #9052 (anyway, that also needs documentation)

Relevance

IMHO this is important to document, because the use case of having a proper ingoing IP address is quite popular for all webservers, I guess.
Also, it's a difference to Docker/limitation of rootless containers, so IMHO, it should also be documented here.
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 8, 2021

@rugk: The label(s) kind/docs cannot be applied, because the repository doesn't have them.

In response to this:

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind docs
(?)

Problem

I had a curious "problem" with the webserver caddy, where each source IP was always 10.0.2.100. I could trace it back to podman being the obvious fault, because it's the "inside of container" vs "outside of container" view… 🙃
In the end, I solved this by switching to host networking…

Later I noticed this comment by @AkihiroSuda:

Also it should be documented that apps will always see 10.0.2.100 (or CNI IP) as the source address.

#9052 (comment)

Documentation

Searching the docs it seems that this comment was forgotten and nothing was actually documented.

As such, here is an issue to document the fact that this happens and explain the workaround/solution in this case (which AFAIK are either using rootfull containers or host networking as I did).

Relevance

IMHO this is important to document, because the use case of having a proper ingoing IP address is quite popular for all webservers, I guess.
Also, it's a difference to Docker/limitation of rootless containers, so IMHO, it should also be documented here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rugk
Copy link
Contributor Author

rugk commented Jul 8, 2021
edited
Loading

@openshift-ci-robot retry

Edit: does not work… 😞

@rugk rugk mentioned this issue Jul 8, 2021
Closed
@mheon
Copy link
Member

mheon commented Jul 8, 2021

Worth noting that this behavior can be worked around by specifying --net slirp4netns:port_handler=slirp4netns when creating the container. This forces the old slirp4netns port forwarding, as opposed to rootlesskit - it's slower, but does preserve source address (at the cost of some other quirks)

@rugk
Copy link
Contributor Author

rugk commented Jul 9, 2021
edited
Loading

it's slower, but does preserve source address (at the cost of some other quirks)

Very worth noting to also document these two things and whatever quirks are there. Especially for a webserver (as I use it), the performance thing actually matters (especially if you use "multiple" reverse-proxies or so…).
So I would be very interested in hearing that…

Unrelated: Could someone add the kind/documentation tag, please? (I messed up with the bot I know 😅 )

@rugk rugk changed the title Document that source IP for rootless containers is always 10.0.2.100 Document that source IP for rootless containers is always 10.0.2.100 and slirp4netns workaround with it's (dis)advantages Jul 9, 2021
@AkihiroSuda AkihiroSuda added documentation Issue or fix is in project documentation rootless slirp4netns Bug is in slirp4netns labels Jul 9, 2021
@rugk
Copy link
Contributor Author

rugk commented Jul 9, 2021
edited
Loading

This forces the old slirp4netns port forwarding, as opposed to rootlesskit

Do I understand this correctly that the new method is rootlesskit for rootless containers, and the old one was slirp4netns?
If yes, then the doc is outdated here too, as it says:

slirp4netns[:OPTIONS,...]: use slirp4netns(1) […]. This is the default for rootless containers.

It's then not the default anymore, as far as I get that.

Edit: Ah forget it, you said "slirp4netns port forwarding", which is only a part of slirp4netns, now this makes sense.

@github-actions
Copy link

github-actions bot commented Aug 9, 2021

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Aug 9, 2021

@mheon @Luap99 is this still an issue?

@mheon
Copy link
Member

mheon commented Aug 9, 2021

I don't recall seeing a docs PR, so this still requires attention.

@Luap99 Luap99 mentioned this issue Aug 10, 2021
Merged
@Luap99
Copy link
Member

Luap99 commented Aug 10, 2021

I opened #11177

Luap99 added a commit to Luap99/libpod that referenced this issue Aug 10, 2021
@Luap99
Document source ip for the rootlesskit port handler
af46a64 
Also add some missing options to podman pod create.

Fixes containers#10884

Signed-off-by: Paul Holzinger <[email protected]>
mheon pushed a commit to mheon/libpod that referenced this issue Aug 11, 2021
@Luap99 @mheon
Document source ip for the rootlesskit port handler
f9f315c 
Also add some missing options to podman pod create.

Fixes containers#10884

Signed-off-by: Paul Holzinger <[email protected]>
@notmycloud notmycloud mentioned this issue Aug 1, 2022
Open
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
documentation Issue or fix is in project documentation locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless slirp4netns Bug is in slirp4netns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CI:DOCS] Document source ip for the rootlesskit port handler Luap99/libpod
5 participants
@rhatdan @mheon @AkihiroSuda @rugk @Luap99