allow switching of port-forward approaches when rootless/using slirp4netns

[aleks-mariusz]

This PR is by request against master (the other original PR was against the 1.9 branch as that's what i was asked to base it off of).

---

As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138).

This commit allows a user to specify if they want to revert to the previous approach
of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance,
restores usefulness of seeing incoming traffic origin IP addresses.

The change should be transparent; when not specified, rootlessport will continue to be
used, however if specifying --net slirp4netns:slirplisten the old approach will be used.

Testing performed in rootless mode of relevant functionality:

Default behaviour scenario 1 (nothing specified, so not taking advantage of this commit original behaviour (higher performance rootlessport in use))

[test@test ~]$ podman run -d --name nginx -p 8080:80 docker.io/library/nginx:alpine
c0644bcd50c950a000305d0e548e3b1c40732af5c1f9bcbe1dffba244fc1a048
[test@test ~]$ podman logs -f nginx
127.0.0.1 - - [28/Apr/2020:18:19:47 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "-"

Default behaviour scenario 2 (specifying just --net slirp4netns, which is default when in rootless mode)

[test@test ~]$ podman run -d --name nginx -p 8080:80 --net slirp4netns docker.io/library/nginx:alpine
82e93b571cb013b05f586097544c081c78335f932a5fae071d27ca0f24014cf0
[test@test ~]$ podman logs -f nginx
127.0.0.1 - - [28/Apr/2020:18:20:10 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "-"

Restored (old, pre-1.8.0) behaviour, where source IP show true origin of port-forwarded traffic.

[test@test ~]$ podman run -d --name nginx -p 8080:80 --net slirp4netns:slirplisten docker.io/library/nginx:alpine
4c5f517d20df3bfc8767371cfefbe87835eb0a0e4e6c300c24b306c80fd3f59f
[test@test ~]$ podman logs -f nginx
192.168.0.22 - - [28/Apr/2020:18:19:14 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "-"

Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere.

Signed-off-by: Aleks Mariusz <[email protected]>

[openshift-ci-robot]

Hi @aleks-mariusz. Thanks for your PR.

I'm waiting for a containers member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[aleks-mariusz]

/assign @TomSweeneyRedHat

[jwhonce]

/ok-to-test

[giuseppe]

LGTM

[TomSweeneyRedHat]

LGTM

[mheon]

Can the manpages be updated to include the new network modes?

[rhatdan]

/approve

[vrothberg]

Friendly ping. Once https://github.com/containers/libpod/pull/6324/files/b9893ce95307629cfc54bd8707859c6c2bb146b6#diff-6018b2b043bbcbdd9ac0f143ac9458be is addressed, we can merge.

[rhatdan]

@aleks-mariusz Are you still working on this. Simple change and then we merge.

[aleks-mariusz]

Sorry, just re-pushed the commit w/ the change

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AkihiroSuda, aleks-mariusz, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[giuseppe]

/retest

LGTM

[TomSweeneyRedHat]

Tests aren't looking all that hip

[rhatdan]

@aleks-mariusz Please fix the tests might need a rebase.

[giuseppe]

@aleks-mariusz could you please rebase and push again?

[aleks-mariusz]

bare with me, trying to fix this now.. rebasing off master did not seem to be the right move (or i didn't do it correctly)

[aleks-mariusz]

@giuseppe can we try again please? i messed up the previously attempt (rebased off a stale master), and now have hand re-applied the patch to a new branch based off latest master, and re-pushed now..

[giuseppe]

/retest

[giuseppe]

/retest

[giuseppe]

@aleks-mariusz I'd like to get this feature merged. Could we try to rebase again? For rebasing, it should be enough to do:

git pull --rebase origin master
git push -f ...

[aleks-mariusz]

Commands (adjusted to my setup) and re-ran:

$ git remote -v
origin  [email protected]:aleks-mariusz/libpod.git (fetch)
origin  [email protected]:aleks-mariusz/libpod.git (push)
upstream        https://github.com/containers/libpod.git (fetch)
upstream        https://github.com/containers/libpod.git (push)
$ git pull --rebase upstream master
remote: Enumerating objects: 2021, done.
remote: Counting objects: 100% (2021/2021), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 3699 (delta 2000), reused 1998 (delta 1988), pack-reused 1678
Receiving objects: 100% (3699/3699), 1.16 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2784/2784), completed with 700 local objects.
From https://github.com/containers/libpod
 * branch            master     -> FETCH_HEAD
First, rewinding head to replay your work on top of it...
Applying: allow switching of port-forward approaches in rootless/using slirp4netns
$ git push -f
Counting objects: 15, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 3.05 KiB | 0 bytes/s, done.
Total 8 (delta 6), reused 0 (delta 0)
remote: Resolving deltas: 100% (6/6), completed with 6 local objects.
To [email protected]:aleks-mariusz/libpod.git
 + c6cdbcd...3c2cbcb issues/5138-off-master -> issues/5138-off-master (forced update)

Let me know if there's an issue with the above

[giuseppe]

thanks, tests are finally green.

LGTM

@mheon do you want to wait for the merge?

[mheon]

I think CNI networks are still unsupported with Slirp, so this should probably be removed unless I missed something

[aleks-mariusz]

Unfortunately without this, a any param to --net that contains a : character results in an error about rootless not supporting choosing a network CNI

[mheon]

Hmmm. Let me look a bit, but I suspect this is mostly because of how we're parsing at the command line level.

[AkihiroSuda]

What's current status?

[giuseppe]

@aleks-mariusz are you still interested in this feature?

[giuseppe]

let's follow up here: #6965