Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port API: support specifying IP version explicitly ("tcp4", "tcp6") #231

Closed
AkihiroSuda opened this issue Mar 1, 2021 · 3 comments · Fixed by #232
Closed

Port API: support specifying IP version explicitly ("tcp4", "tcp6") #231

AkihiroSuda opened this issue Mar 1, 2021 · 3 comments · Fixed by #232
Labels
enhancement New feature or request priority/high

Comments

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 1, 2021
edited
Loading

The new version of Docker libnetwork executes two proxy commands: moby/moby#41908 (comment)

rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.2 -container-port 80
rootlesskit-docker-proxy -proto tcp -host-ip :: -host-port 8080 -container-ip 172.17.0.2 -container-port 80

rootlesskit-docker-proxy now fails with EADDRINUSE bcause it cause the equivalent of rootlessctl add-ports 0.0.0.0:8080:80/tcp [::]:8080:80/tcp

$ rootlessctl add-ports 0.0.0.0:8080:80/tcp [::]:8080:80/tcp
1
error: listen tcp 0.0.0.0:8080: bind: address already in use

rootlesskit-docker-proxy probably needs to be modified to cause rootlessctl add-ports 0.0.0.0:8080:80/tcp4 [::]:8080:80/tcp6

cc @thaJeztah @arkodg
@AkihiroSuda
Copy link
Member Author

Implementing this is straightforward for builtin port driver (the default of rootless docker), but the problem is that slirp4netns port driver does't support IPv6 yet (rootless-containers/slirp4netns#253).

Should rootlesskit-docker-proxy ignore -host-ip :: when the port driver is set to slirp4netns?
Or can we configure dockerd to skip invoking the proxy with -host-ip ::?

@AkihiroSuda AkihiroSuda mentioned this issue Mar 1, 2021
Merged
5 tasks
@AkihiroSuda AkihiroSuda added enhancement New feature or request priority/high labels Mar 1, 2021
@AkihiroSuda AkihiroSuda mentioned this issue Mar 1, 2021
Merged
AkihiroSuda added a commit to AkihiroSuda/rootlesskit that referenced this issue Mar 1, 2021
@AkihiroSuda
Port API: support specifying IP version explicitly ("tcp4", "tcp6")
5da9499 
Fix rootless-containers#231

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/rootlesskit that referenced this issue Mar 1, 2021
@AkihiroSuda
Port API: support specifying IP version explicitly ("tcp4", "tcp6")
d64a282 
Fix rootless-containers#231

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/rootlesskit that referenced this issue Mar 1, 2021
@AkihiroSuda
Port API: support specifying IP version explicitly ("tcp4", "tcp6")
17f4357 
Fix rootless-containers#231

Signed-off-by: Akihiro Suda <[email protected]>
@thaJeztah
Copy link
Contributor

Or can we configure dockerd to skip invoking the proxy with -host-ip ::?

It's tricky; so before docker 20.10, publishing a port to listen on "any" IP (-p 80:80 or -p 0.0.0.0:80:80) implicitly made the port available on both IPv4 and IPv6.

That most likely was an oversight in the original implementation; docker 20.10 "fixed" that, by no longer publishing on IPv6 by default, but there's many people relying on the (faulty?) behaviour, and assume that -p 80:80 makes the port accessible, irregardless if I try IPv4 or IPv6 (which also makes sense).

The libnetwork update attempts to fix the situation, but instead of "implicitly" exposing both on IPv4 and IPv6 now explicitly exposes on both, which shows both in docker inspect of the container, but also (as a "side-effect" ?) starts two proxies.

I'm a bit on the fence what the best solution is (also a bit worried about (by default) starting two proxies now, as there could be a non-neglectible overhead in that)

AkihiroSuda added a commit to AkihiroSuda/rootlesskit that referenced this issue Mar 1, 2021
@AkihiroSuda
Port API: support specifying IP version explicitly ("tcp4", "tcp6")
1034dbf 
Fix rootless-containers#231

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/rootlesskit that referenced this issue Mar 1, 2021
@AkihiroSuda
rootlesskit-docker-proxy: support libnetwork >= 20201216 convention
0aa4165 
The `-proto` argument of `docker-proxy` is like "tcp", but we need to convert it to "tcp4" or "tcp6" explicitly
when calling RootlessKit API, for libnetwork >= 20201216.

If the port driver does not support "tcp6" (especially when the port driver is slirp4netns),
`rootlesskit-docker-proxy` skips exposing the port via RootlessKit API,
without showing an error.

(We can't raise an error here, because `docker run -p 8080:80` always causes
`rootlesskit-docker-proxy -host-ip ::` as well as `r-d-p -h-i 0.0.0.0`)

See https://github.com/moby/libnetwork/pull/2604/files#diff-8fa48beed55dd033bf8e4f8c40b31cf69d0b2cc5d4bb53cde8594670ea6c938aR20

See also rootless-containers#231

Using this version of `rootlesskit-docker-proxy` with libnetwork < 20201216 is also fine,
because Rootless Docker had never officially supported IPv6.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
Copy link
Member Author

Opened PR #232

When the port driver is set to slirp4netns, docker run -p [v6]:8080:80 skips exposing the port, without showing an error.
This behavior might be weird, but I think we can call it a day. ("slirp4netns" port driver is not used by default, even when the network driver is set to "slirp4netns".)

The default port driver builtin seems now fully functional with IPv6.

youmeim pushed a commit to youmeim/rootlesskit that referenced this issue Dec 20, 2024
@AkihiroSuda @youmeim
Port API: support specifying IP version explicitly ("tcp4", "tcp6")
18d3f55 
Fix rootless-containers#231

Signed-off-by: Akihiro Suda <[email protected]>
youmeim pushed a commit to youmeim/rootlesskit that referenced this issue Dec 20, 2024
@AkihiroSuda @youmeim
rootlesskit-docker-proxy: support libnetwork >= 20201216 convention
2dd5864 
The `-proto` argument of `docker-proxy` is like "tcp", but we need to convert it to "tcp4" or "tcp6" explicitly
when calling RootlessKit API, for libnetwork >= 20201216.

If the port driver does not support "tcp6" (especially when the port driver is slirp4netns),
`rootlesskit-docker-proxy` skips exposing the port via RootlessKit API,
without showing an error.

(We can't raise an error here, because `docker run -p 8080:80` always causes
`rootlesskit-docker-proxy -host-ip ::` as well as `r-d-p -h-i 0.0.0.0`)

See https://github.com/moby/libnetwork/pull/2604/files#diff-8fa48beed55dd033bf8e4f8c40b31cf69d0b2cc5d4bb53cde8594670ea6c938aR20

See also rootless-containers#231

Using this version of `rootlesskit-docker-proxy` with libnetwork < 20201216 is also fine,
because Rootless Docker had never officially supported IPv6.

Signed-off-by: Akihiro Suda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority/high
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Port API: support specifying IP version explicitly ("tcp4", "tcp6") AkihiroSuda/rootlesskit
2 participants
@thaJeztah @AkihiroSuda