diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index addf1814c4..6f56d2f8fb 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -547,6 +547,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin ExitFD: 3, ReadyFD: 4, TmpDir: ctr.runtime.config.Engine.TmpDir, + ChildIP: "10.0.2.100", } cfgJSON, err := json.Marshal(cfg) if err != nil { diff --git a/pkg/rootlessport/rootlessport_linux.go b/pkg/rootlessport/rootlessport_linux.go index c686d80fcc..80e1309a5f 100644 --- a/pkg/rootlessport/rootlessport_linux.go +++ b/pkg/rootlessport/rootlessport_linux.go @@ -48,6 +48,7 @@ type Config struct { ExitFD int ReadyFD int TmpDir string + ChildIP string } func init() { @@ -227,7 +228,7 @@ outer: // let parent expose ports logrus.Infof("exposing ports %v", cfg.Mappings) - if err := exposePorts(driver, cfg.Mappings); err != nil { + if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil { return err } @@ -248,7 +249,7 @@ outer: return nil } -func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error { +func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error { ctx := context.TODO() for _, i := range portMappings { hostIP := i.HostIP @@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error { ParentIP: hostIP, ParentPort: int(i.HostPort), ChildPort: int(i.ContainerPort), + ChildIP: childIP, } if err := rkportutil.ValidatePortSpec(spec, nil); err != nil { return err diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index a824ebcd74..bcc6737b7a 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -65,8 +65,13 @@ load helpers myport=54321 # Container will exit as soon as 'nc' receives input + # We use '-n -v' to give us log messages showing an incoming connection + # and its IP address; the purpose of that is guaranteeing that the + # remote IP is not 127.0.0.1 (podman PR #9052). + # We could get more parseable output by using $NCAT_REMOTE_ADDR, + # but busybox nc doesn't support that. run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \ - $IMAGE nc -l -p $myport + $IMAGE nc -l -n -v -p $myport cid="$output" # emit random string, and check it @@ -74,7 +79,17 @@ load helpers echo "$teststring" | nc 127.0.0.1 $myport run_podman logs $cid - is "$output" "$teststring" "test string received on container" + # Sigh. We can't check line-by-line, because 'nc' output order is + # unreliable. We usually get the 'connect to' line before the random + # string, but sometimes we get it after. So, just do substring checks. + is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port" + + # This is the truly important check: make sure the remote IP is + # in the 10.X range, not 127.X. + is "$output" \ + ".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \ + "nc -v shows remote IP address in 10.X space (not 127.0.0.1)" + is "$output" ".*${teststring}.*" "test string received on container" # Clean up run_podman rm $cid