Merge branch 'master' of https://github.com/rootless-containers/slirp…

…4netns
rootless-containers · Sep 11, 2021 · fee7992 · fee7992
2 parents 0cf4aa8 + 631f361
commit fee7992
Show file tree

Hide file tree

Showing 33 changed files with 501 additions and 313 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -5,7 +5,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        libslirp_commit: [master, v4.4.0, v4.3.0, v4.2.0, v4.1.0]
+        libslirp_commit: [master, v4.6.1, v4.5.0, v4.1.0]
     steps:
     - uses: actions/checkout@v2
     - run: docker build -t slirp4netns-tests --build-arg LIBSLIRP_COMMIT -f Dockerfile.tests .
@@ -47,7 +47,7 @@ jobs:
       run: sh ./run-vagrant-tests
       env:
         LIBSECCOMP_COMMIT: v2.5.0
-        LIBSLIRP_COMMIT: v4.4.0
+        LIBSLIRP_COMMIT: v4.6.1
   artifact:
     runs-on: ubuntu-20.04
     steps:

diff --git a/Dockerfile.artifact b/Dockerfile.artifact
@@ -1,4 +1,4 @@
-ARG LIBSLIRP_COMMIT=v4.4.0
+ARG LIBSLIRP_COMMIT=v4.6.1
 ARG DEBIAN_VERSION=10
 
 FROM --platform=$TARGETPLATFORM debian:${DEBIAN_VERSION} AS build

diff --git a/Dockerfile.buildtests b/Dockerfile.buildtests
@@ -1,4 +1,4 @@
-ARG LIBSLIRP_COMMIT=v4.4.0
+ARG LIBSLIRP_COMMIT=v4.6.1
 
 # Alpine
 FROM alpine:3 AS buildtest-alpine3-static

diff --git a/Dockerfile.tests b/Dockerfile.tests
@@ -1,4 +1,4 @@
-ARG LIBSLIRP_COMMIT=v4.4.0
+ARG LIBSLIRP_COMMIT=v4.6.1
 
 FROM ubuntu:20.04 AS build
 ENV DEBIAN_FRONTEND=noninteractive
@@ -16,6 +16,6 @@ RUN ./autogen.sh && ./configure && make -j $(nproc)
 
 FROM build AS test
 USER 0
-RUN apt update && apt install -y git libtool iproute2 clang clang-format clang-tidy iputils-ping iperf3 ncat jq
+RUN apt update && apt install -y git libtool iproute2 clang clang-format clang-tidy iputils-ping iperf3 ncat jq udhcpc
 USER 1000:1000
 CMD ["make", "ci"]
diff --git a/Makefile.am b/Makefile.am
@@ -5,7 +5,25 @@ AM_CFLAGS = @GLIB_CFLAGS@ @SLIRP_CFLAGS@ @LIBCAP_CFLAGS@ @LIBSECCOMP_CFLAGS@
 noinst_LIBRARIES = libparson.a
 
 AM_TESTS_ENVIRONMENT = PATH="$(abs_top_builddir):$(PATH)"
-TESTS = tests/test-slirp4netns.sh tests/test-slirp4netns-configure.sh tests/test-slirp4netns-exit-fd.sh tests/test-slirp4netns-ready-fd.sh tests/test-slirp4netns-api-socket.sh tests/test-slirp4netns-disable-host-loopback.sh tests/test-slirp4netns-cidr.sh tests/test-slirp4netns-cidr6.sh tests/test-slirp4netns-outbound-addr.sh tests/test-slirp4netns-disable-dns.sh tests/test-slirp4netns-seccomp.sh tests/test-slirp4netns-macaddress.sh tests/test-slirp4netns-ipv6.sh tests/test-slirp4netns-hostfwd4.sh tests/test-slirp4netns-hostfwd6.sh tests/test-slirp4netns-hostfwd.sh
+TESTS = tests/test-slirp4netns-api-socket.sh \
+				tests/test-slirp4netns-cidr.sh \
+				tests/test-slirp4netns-cidr6.sh \
+				tests/test-slirp4netns-configure.sh \
+				tests/test-slirp4netns-dhcp.sh \
+				tests/test-slirp4netns-disable-dns.sh \
+				tests/test-slirp4netns-disable-host-loopback.sh \
+				tests/test-slirp4netns-exit-fd.sh \
+				tests/test-slirp4netns-hostfwd.sh \
+				tests/test-slirp4netns-hostfwd4.sh \
+				tests/test-slirp4netns-hostfwd6.sh \
+				tests/test-slirp4netns-ipv6.sh \
+				tests/test-slirp4netns-macaddress.sh \
+				tests/test-slirp4netns-nspath.sh \
+				tests/test-slirp4netns-outbound-addr.sh \
+				tests/test-slirp4netns-ready-fd.sh \
+				tests/test-slirp4netns-sandbox.sh \
+				tests/test-slirp4netns-sandbox-no-unmount.sh \
+				tests/test-slirp4netns-seccomp.sh
 
 EXTRA_DIST = \
 	slirp4netns.1.md \
@@ -18,7 +36,6 @@ EXTRA_DIST = \
 	seccomparch.h \
 	seccompfilter.h \
 	seccompfilter_rules.h \
-	tests/slirp4netns-no-unmount.sh \
 	vendor/parson/LICENSE \
 	vendor/parson/README.md \
 	vendor/parson/parson.h

diff --git a/README.md b/README.md
@@ -39,6 +39,7 @@ Container engines:
 * [Buildah](https://github.com/containers/buildah)
 * [ctnr](https://github.com/mgoltzsche/ctnr) (via slirp-cni-plugin)
 * [Docker & Moby](https://get.docker.com/rootless) (optionally, via RootlessKit)
+* [containerd/nerdctl](https://github.com/containerd/nerdctl) (optionally, via RootlessKit)
 
 Tools:
 * [RootlessKit](https://github.com/rootless-containers/rootlesskit)
@@ -78,7 +79,7 @@ Also available as a package on almost all Linux distributions:
 * [Gentoo Linux](https://packages.gentoo.org/packages/app-emulation/slirp4netns)
 * [Slackware](https://git.slackbuilds.org/slackbuilds/tree/network/slirp4netns)
 * [Void Linux](https://github.com/void-linux/void-packages/tree/master/srcpkgs/slirp4netns)
-* [Alpine Linux (edge)](https://pkgs.alpinelinux.org/package/edge/testing/x86/slirp4netns)
+* [Alpine Linux (since 3.14)](https://pkgs.alpinelinux.org/packages?name=slirp4netns)
 
 e.g.
 

diff --git a/Vagrantfile b/Vagrantfile
@@ -23,6 +23,8 @@ Vagrant.configure("2") do |config|
         glib2-devel libcap-devel \
         git-core libtool iproute iputils iperf3 nmap jq
 
+      # TODO: install udhcpc (required by test-slirp4netns-dhcp.sh)
+
       cd /src
       chown vagrant .
 

diff --git a/configure.ac b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.69])
-AC_INIT([slirp4netns], [1.1.9+dev], [https://github.com/rootless-containers/slirp4netns/issues])
+AC_INIT([slirp4netns], [1.1.12+dev], [https://github.com/rootless-containers/slirp4netns/issues])
 AC_CONFIG_SRCDIR([main.c])
 AC_CONFIG_HEADERS([config.h])
 

diff --git a/main.c b/main.c
@@ -438,6 +438,13 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
 {
     int rc, tapfd;
     char ipv6[INET6_ADDRSTRLEN];
+    struct in_addr vdhcp_end = {
+#define NB_BOOTP_CLIENTS 16
+        /* NB_BOOTP_CLIENTS is hard-coded to 16 in libslirp:
+           https://gitlab.freedesktop.org/slirp/libslirp/-/issues/49 */
+        .s_addr = htonl(ntohl(cfg->vdhcp_start.s_addr) + NB_BOOTP_CLIENTS - 1),
+#undef NB_BOOTP_CLIENTS
+    };
     if ((tapfd = recvfd(sock)) < 0) {
         return tapfd;
     }
@@ -449,6 +456,8 @@ static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
     printf("* Netmask:         %s\n", inet_ntoa(cfg->vnetmask));
     printf("* Gateway:         %s\n", inet_ntoa(cfg->vhost));
     printf("* DNS:             %s\n", inet_ntoa(cfg->vnameserver));
+    printf("* DHCP begin:      %s\n", inet_ntoa(cfg->vdhcp_start));
+    printf("* DHCP end:        %s\n", inet_ntoa(vdhcp_end));
     printf("* Recommended IP:  %s\n", inet_ntoa(cfg->recommended_vguest));
     if (cfg->enable_ipv6) {
         inet_ntop(AF_INET6, &cfg->vnetwork6, ipv6, INET6_ADDRSTRLEN);

diff --git a/slirp4netns.1 b/slirp4netns.1
@@ -1,5 +1,5 @@
 .nh
-.TH SLIRP4NETNS 1 "November 2020" "Rootless Containers" "User Commands"
+.TH SLIRP4NETNS 1 "June 2021" "Rootless Containers" "User Commands"
 
 .SH NAME
 .PP
@@ -31,6 +31,10 @@ Gateway/Host:      10.0.2.2    (network address + 2)
 .IP \(bu 2
 DNS:               10.0.2.3    (network address + 3)
 .IP \(bu 2
+DHCP begin:        10.0.2.15   (network address + 15)
+.IP \(bu 2
+DHCP end:          10.0.2.30   (network address + 30)
+.IP \(bu 2
 IPv6 CIDR:         fd00::/64
 .IP \(bu 2
 IPv6 Gateway/Host: fd00::2
@@ -279,7 +283,7 @@ You may want to set up iptables for limiting access to the built\-in DNS in such
 .RS
 
 .nf
-(host)$ nsenter \-t $(cat /tmp/pid) \-U \-n
+(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n
 (namespace)$ iptables \-A OUTPUT \-d 10.0.2.3 \-p udp \-\-dport 53 \-j ACCEPT
 (namespace)$ iptables \-A OUTPUT \-d 10.0.2.3 \-j DROP
 
@@ -428,7 +432,7 @@ The easiest way to allow inter\-namespace communication is to nest network names
 .RS
 
 .nf
-(host)$ nsenter \-t $(cat /tmp/pid) \-U \-n \-m
+(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n \-m
 (namespace)$ mount \-t tmpfs none /run
 (namespace)$ ip netns add foo
 (namespace)$ ip netns add bar
@@ -458,12 +462,12 @@ To allow communication across multiple slirp4netns instances, you need to combin
 
 .nf
 (host)$ vde\_plug \-\-daemon switch:///tmp/switch null://
-(host)$ nsenter \-t $(cat /tmp/pid\-instance0) \-U \-n
+(host)$ nsenter \-t $(cat /tmp/pid\-instance0) \-U \-\-preserve\-credentials \-n
 (namespace\-instance0)$ vde\_plug \-\-daemon vde:///tmp/switch tap://vde
 (namespace\-instance0)$ ip link set vde up
 (namespace\-instance0)$ ip addr add 192.168.42.100/24 dev vde
 (namespace\-instance0)$ exit
-(host)$ nsenter \-t $(cat /tmp/pid\-instance1) \-U \-n
+(host)$ nsenter \-t $(cat /tmp/pid\-instance1) \-U \-\-preserve\-credentials \-n
 (namespace\-instance1)$ vde\_plug \-\-daemon vde:///tmp/switch tap://vde
 (namespace\-instance1)$ ip link set vde up
 (namespace\-instance1)$ ip addr add 192.168.42.101/24 dev vde
@@ -492,7 +496,7 @@ No real root privilege is needed to modify the file since kernel 4.15.
 .RS
 
 .nf
-(host)$ nsenter \-t $(cat /tmp/pid) \-U \-n \-m
+(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n \-m
 (namespace)$ c=$(cat /proc/sys/net/ipv4/tcp\_rmem); echo $c | sed \-e s/131072/87380/g > /proc/sys/net/ipv4/tcp\_rmem
 
 .fi

diff --git a/slirp4netns.1.md b/slirp4netns.1.md
@@ -1,4 +1,4 @@
-SLIRP4NETNS 1 "November 2020" "Rootless Containers" "User Commands"
+SLIRP4NETNS 1 "June 2021" "Rootless Containers" "User Commands"
 ==================================================
 
 # NAME
@@ -21,6 +21,8 @@ Default configuration:
 * CIDR:              10.0.2.0/24
 * Gateway/Host:      10.0.2.2    (network address + 2)
 * DNS:               10.0.2.3    (network address + 3)
+* DHCP begin:        10.0.2.15   (network address + 15)
+* DHCP end:          10.0.2.30   (network address + 30)
 * IPv6 CIDR:         fd00::/64
 * IPv6 Gateway/Host: fd00::2
 * IPv6 DNS:          fd00::3
@@ -192,7 +194,7 @@ However, a host loopback address might be still accessible via the built-in DNS
 You may want to set up iptables for limiting access to the built-in DNS in such a case.
 
 ```console
-(host)$ nsenter -t $(cat /tmp/pid) -U -n
+(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n
 (namespace)$ iptables -A OUTPUT -d 10.0.2.3 -p udp --dport 53 -j ACCEPT
 (namespace)$ iptables -A OUTPUT -d 10.0.2.3 -j DROP
 ```
@@ -272,7 +274,7 @@ Optionally you can use interface names instead of ip addresses.
 The easiest way to allow inter-namespace communication is to nest network namespaces inside the slirp4netns's network namespace.
 
 ```console
-(host)$ nsenter -t $(cat /tmp/pid) -U -n -m
+(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n -m
 (namespace)$ mount -t tmpfs none /run
 (namespace)$ ip netns add foo
 (namespace)$ ip netns add bar
@@ -296,12 +298,12 @@ To allow communication across multiple slirp4netns instances, you need to combin
 
 ```console
 (host)$ vde_plug --daemon switch:///tmp/switch null://
-(host)$ nsenter -t $(cat /tmp/pid-instance0) -U -n
+(host)$ nsenter -t $(cat /tmp/pid-instance0) -U --preserve-credentials -n
 (namespace-instance0)$ vde_plug --daemon vde:///tmp/switch tap://vde
 (namespace-instance0)$ ip link set vde up
 (namespace-instance0)$ ip addr add 192.168.42.100/24 dev vde
 (namespace-instance0)$ exit
-(host)$ nsenter -t $(cat /tmp/pid-instance1) -U -n
+(host)$ nsenter -t $(cat /tmp/pid-instance1) -U --preserve-credentials -n
 (namespace-instance1)$ vde_plug --daemon vde:///tmp/switch tap://vde
 (namespace-instance1)$ ip link set vde up
 (namespace-instance1)$ ip addr add 192.168.42.101/24 dev vde
@@ -322,7 +324,7 @@ As a workaround, you can adjust the value of `/proc/sys/net/ipv4/tcp_rmem` insid
 No real root privilege is needed to modify the file since kernel 4.15.
 
 ```console
-(host)$ nsenter -t $(cat /tmp/pid) -U -n -m
+(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n -m
 (namespace)$ c=$(cat /proc/sys/net/ipv4/tcp_rmem); echo $c | sed -e s/131072/87380/g > /proc/sys/net/ipv4/tcp_rmem
 ```