Skip to content

Commit

Permalink
rootlessport: set source IP to slirp4netns device
Browse files Browse the repository at this point in the history
set the source IP to the slirp4netns address instead of 127.0.0.1 when
using rootlesskit.

Closes: containers#5138

Signed-off-by: Giuseppe Scrivano <[email protected]>
  • Loading branch information
giuseppe committed Jan 22, 2021
1 parent 37319de commit 5e65f0b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 4 deletions.
1 change: 1 addition & 0 deletions libpod/networking_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
ExitFD: 3,
ReadyFD: 4,
TmpDir: ctr.runtime.config.Engine.TmpDir,
ChildIP: "10.0.2.100",
}
cfgJSON, err := json.Marshal(cfg)
if err != nil {
Expand Down
6 changes: 4 additions & 2 deletions pkg/rootlessport/rootlessport_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ type Config struct {
ExitFD int
ReadyFD int
TmpDir string
ChildIP string
}

func init() {
Expand Down Expand Up @@ -227,7 +228,7 @@ outer:

// let parent expose ports
logrus.Infof("exposing ports %v", cfg.Mappings)
if err := exposePorts(driver, cfg.Mappings); err != nil {
if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil {
return err
}

Expand All @@ -248,7 +249,7 @@ outer:
return nil
}

func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error {
ctx := context.TODO()
for _, i := range portMappings {
hostIP := i.HostIP
Expand All @@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
ParentIP: hostIP,
ParentPort: int(i.HostPort),
ChildPort: int(i.ContainerPort),
ChildIP: childIP,
}
if err := rkportutil.ValidatePortSpec(spec, nil); err != nil {
return err
Expand Down
19 changes: 17 additions & 2 deletions test/system/500-networking.bats
Original file line number Diff line number Diff line change
Expand Up @@ -65,16 +65,31 @@ load helpers
myport=54321

# Container will exit as soon as 'nc' receives input
# We use '-n -v' to give us log messages showing an incoming connection
# and its IP address; the purpose of that is guaranteeing that the
# remote IP is not 127.0.0.1 (podman PR #9052).
# We could get more parseable output by using $NCAT_REMOTE_ADDR,
# but busybox nc doesn't support that.
run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
$IMAGE nc -l -p $myport
$IMAGE nc -l -n -v -p $myport
cid="$output"

# emit random string, and check it
teststring=$(random_string 30)
echo "$teststring" | nc 127.0.0.1 $myport

run_podman logs $cid
is "$output" "$teststring" "test string received on container"
# Sigh. We can't check line-by-line, because 'nc' output order is
# unreliable. We usually get the 'connect to' line before the random
# string, but sometimes we get it after. So, just do substring checks.
is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"

# This is the truly important check: make sure the remote IP is
# in the 10.X range, not 127.X.
is "$output" \
".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \
"nc -v shows remote IP address in 10.X space (not 127.0.0.1)"
is "$output" ".*${teststring}.*" "test string received on container"

# Clean up
run_podman rm $cid
Expand Down

0 comments on commit 5e65f0b

Please sign in to comment.