Add host.containers.internal entry into container's etc/hosts

[bblenard]

This change adds the entry host.containers.internal to the /etc/hosts
file within a new containers filesystem. The ip address is determined by
the containers networking configuration and points to the gateway address
for the containers networking namespace.

Closes #5651

Signed-off-by: Baron Lenardson [email protected]

[mheon]

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bblenard, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

Can drop this block and make depCtr, err = c.getRootNetNsDepCtr() a :=

Will be a little cleaner

[bblenard]

#9972 (comment)

[mheon]

Can you note that this returns nil if there is no dependency?

[bblenard]

I don't think this can be null unless there is an error, although I could be wrong. So would you like a note about it returning an nil on error? That being said I am adding some extra error handling in that function based on your comment, but it wont make sense if State.Container interface function can return nil, nil.

[mheon]

Can you keep this block const and then add a separate var block below for the slirp4netns bit?

[bblenard]

I have changed this I just don't want to kick off another CICD run until I get the other things sorted out.

[mheon]

I'd like @AkihiroSuda or someone else familiar with slirp to verify the slirp address calculation bits. Overall looks good, few small comments.

[TomSweeneyRedHat]

Nothing over @mheon's comments. @giuseppe if you have a spare eyeball for this, that would be great.

[AkihiroSuda]

I'm not feeling this behavior is correct.
The CIDR+2 address isn't useful when slirp4netns is launched with --disable-host-loopback.
And --disable-host-loopback should not be removed, as exposing bare 127.0.0.1 to containers might result in container-breakout.

I suggest exposing the "real" host IP regardless to rootful/rootless.

[bblenard]

So what would be the alternative? Are you suggesting to derive all interface ip addresses not including lo?

The issue (#5651) was to add behavior that reflects docker's host.docker.internal.

I had a look through some of the docker code and as far as I can tell that is a configuration option given to the daemon so if a user asks for the host gateway address to be added to their container it is added based on that configuration docker-ce reference

So should podman have a similar configuration option?

[AkihiroSuda]

Are you suggesting to derive all interface ip addresses not including lo?

The first interface (eth0) would be fine

[bblenard]

I'm not sure about this solution.

There can be so many different interfaces in so many different configurations that trying to derive an ip address from one of the interfaces seems unstable. I don't necessarily disagree that exposing the loopback interface to the container could result in a container breakout but this change doesn't give that access it simply puts a /etc/hosts entry for that interface.

Like I said above. I think the only viable alternative is to make the interface a configurable option similar to dockerd's --host-gateway-ip launch option.

[bblenard]

@AkihiroSuda bump in case you didn't see my last response

[AkihiroSuda]

Having an option SGTM

[rhatdan]

This last block is not necessary. depCtr will be nil by default.

[bblenard]

I'm not sure syntactically how to get rid of that block 😬

I added it because I wanted to ensure mutual exclusion between shared container network namespace configurations and containers with network namespaces created for them. Basically I didn't want the situation where

        var depCtr *Container
	if c.config.NetNsCtr != "" { // **TRUE**
		// ignoring the error because there isn't anything to do
		depCtr, _ = c.getRootNetNsDepCtr()
	} 
	if len(c.state.NetworkStatus) != 0 { // **TRUE**
		depCtr = c
	}

But If that is not possible / something to worry about I can make them both if's and remove the unnecessary block

[bblenard]

@rhatdan just in case you didn't see my response.

[rhatdan]

Yes, that is fine.

[rhatdan]

Is this unexpected, or would this just be the situation if I run a container with podman run --net=none ...

IE Is this worth logging?

[bblenard]

This would be the case for podman run --net=none so I suppose it isn't that unexpected. Should I just quietly continue or change up the debug message?

[bblenard]

@rhatdan bump just in case you didn't see my response

[rhatdan]

@bblenard Thanks for working on this.

[TomSweeneyRedHat]

@rhatdan can you merge this if it LGTY? I think there was one last "is this OK" type of question for you in the review comments on this one.

[AkihiroSuda]

Bikeshedding: For consistency with host.docker.internal, the corresponding value for Podman should be host.podman.internal or host.containers.internal rather than host.gateway.internal?

[rhatdan]

Yes lets go with host.containers.internal and then we can merge.

[bblenard]

I just pushed up some code and assuming the tests all pass there are just a few small things I want to make sure everyone is on the same page about:

1. this thread. @AkihiroSuda mentioned their concerns about using the slirpns gateway address, we discussed a bit and contemplated using a configuration option to specify an ip address for the host.containers.internal address. @rhatdan / @mheon / @TomSweeneyRedHat thoughts? If that is the route we want to go I'll have to rework most of this code :)

2. @rhatdan I wasn't sure what "Yes, that is fine." meant exactly so I left the code as it was. I can change it if I mis-interpreted your response though.

[AkihiroSuda]

The commit message ( host.gateway.internal ) seems to need to be updated

[bblenard]

The commit message ( host.gateway.internal ) seems to need to be updated

Fixed f5e7b40d66646b3e6517d989d8078110172808de

[rhatdan]

LGTM

[rhatdan]

@containers/podman-maintainers PTAL

[Luap99]

I don't think we should use globals, this will fail when used with the podman service.

[bblenard]

Okay, I'll look at moving away from the globals. I think when I initially wrote this those were constant values that I changed to variables so I didn't even think about if they should be globals. Thanks for catching that :)

[Luap99]

I think you can add a new field (maybe called slirp4netnsSubnet) to the container struct here

podman/libpod/container.go

Line 97 in 663ea96

type Container struct {

and add methods like GetSlirp4netnsIP, GetSlirp4netnsGateway and GetSlirp4netnsDNS which returns the correct ip calculated from the stored subnet.

[bblenard]

Fixed: c0335e77819e23be94bb55d883e18bdd6b742195

I made the helper functions generatl libpod functions that take subnets instead of Container functions that reference internal struct members because I didn't think it was a container specific thing. I also essentially reverted your changes here: f99b7a3 since I had a merge conflict and my changes covered what you did with that commit as far as I could tell.

@Luap99 I'll let you resolve these conversations if you think I properly addressed your comments.

[Luap99]

This block has to be above if havePortMapping...

[bblenard]

I'll fix that once I figure out how to move away from globals like you suggested above.

[bblenard]

Fixed: c0335e77819e23be94bb55d883e18bdd6b742195

[Luap99]

Thanks this looks good. One small nit.

[Luap99]

The block below here should also use GetSlirp4netnsDNS for consistency.

[bblenard]

Fixed: ef6027b2db9d7ebd4a294af002c08c0c93d0e5db

[rhatdan]

This should be a warning not an error, If the user can not do anything about it, then it should just warn.

[bblenard]

Fixed: ef6027b2db9d7ebd4a294af002c08c0c93d0e5db

[Luap99]

@edsantiago PTAL at the system tests.

[rhatdan]

Warning not Error.

[bblenard]

Fixed: ef6027b2db9d7ebd4a294af002c08c0c93d0e5db

[rhatdan]

Warning not error.

[bblenard]

Fixed: ef6027b2db9d7ebd4a294af002c08c0c93d0e5db

[rhatdan]

LGTM once Error->Warnin

[edsantiago]

Just curious: what problem does random_rfc1918_subnet() have that prevents you from using it?

[bblenard]

I wasn't aware of that function. I added it to the tests I wrote 👍

[edsantiago]

Thanks! One suggestion, though: I find string concatenation easier to read than stripping. Would you consider:

    subnet=$(random_rfc1918_subnet)
    ... :cidr="$subnet.0/24"
    .... grep "$subnet"
    ... nameserger "${subnet}.3"

That removes the need for all those complicated fragile %.*, and makes life much easier for future maintainers.

[bblenard]

Sounds good. Fixed: c8dfcce

[Luap99]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bblenard, Luap99, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99,mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[edsantiago]

Much better, thank you, but I'm kind of uncomfortable now with the variable name: a CIDR is defined as a full subnet, slash, and mask. A future maintainer may find this a stumbling point, and waste time (e.g. on line 169) wondering how a CIDR can have .2 appended. This is about a 3-out-of-10 gripe, I'm not going to insist on you changing it, but I'd like to bring it to the attention of others in case someone else on the team has a strong opinion either way.

[rhatdan]

/lgtm

[rhatdan]

Thanks @bblenard Nice work.

[bblenard]

Thanks @bblenard Nice work.

Thanks! I've been enjoying working on podman :)