allow switching of port-forward approaches in rootless/using slirp4netns #6965
Conversation
|
Hi @giuseppe to answer the question from the other thread (where i thought @AkihiroSuda was waiting for a @mheon as he last posted the review), i am interested in this feature still, however i'd be more interested if this was config file driven rather than command line parameter.. someone offered to look into doing this after the command line support was in, as it's beyond my famliarity with the code base (not to mention this is the first golang code i've ever touched). |
libpod/container_validate.go
Outdated
| @@ -70,7 +70,7 @@ func (c *Container) validate() error { | |||
|
|
|||
| // Rootless has some requirements, compared to networks. | |||
| if rootless.IsRootless() { | |||
| if len(c.config.Networks) > 0 { | |||
| if !c.config.NetMode.IsSlirp4netns() { | |||
There was a problem hiding this comment.
I'm still against merging with this here - there's probably something on the frontend that's erroneously detecting slirp4netns:rootlesskit as a CNI network and adding it.
There was a problem hiding this comment.
understood, and i'm open to ideas what/where else may need to be adjusted to not need this "enabling" snippet in container_validate.go..
i don't however quite understand what is wrong with the logic applied here, why would the length of networks given ever be a non-empty array, networks shouldn't be able to be specified when rootless.. the fixing of the erroneous detection of that parameter seems like a separate bug that needs to be fixed/handled in a different PR, no ?
There was a problem hiding this comment.
@mheon sorry my mistake. I had fixed the detection but forgot to switch the condition here. Pushed a new version with if len(c.config.Networks) > 0.
I am currently experimenting running CNI plugins inside of the rootless environment. So I cannot promise this line will stay around for long :-)
There was a problem hiding this comment.
Fair enough - I'd be extremely interested to see proper rootless CNI!
There was a problem hiding this comment.
it will still be limited. We first need to create a network namespace managed by slirp, and from that network namespace create new ones using CNI. I am still unsure how to handle its UX nicely
5dcb6ba to
f683586
Compare
As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue containers#5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
f683586 to
8d12f19
Compare
|
tests are green |
|
I'm still a little iffy on the throwing options in the namespace itself. We have other requests to allow setting arbitrary options on networks (#6912) - what would you think about having a separate entry ( |
|
@mheon is it something we can add to |
|
@giuseppe That would work for me - I basically want a way to handle the next request after this one without duplicating all the plumbing. |
edfc28e to
03d4f62
Compare
thanks. That was indeed a great idea. It looks much cleaner and it was easy to add a new option on top of it. |
|
LGTM but a nit in the man page. Thanks! |
03d4f62 to
155ffbd
Compare
155ffbd to
d6aeee8
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@mheon PTAL |
| @@ -164,11 +165,17 @@ func NetFlagsToNetOptions(cmd *cobra.Command) (*entities.NetOptions, error) { | |||
| return nil, err | |||
| } | |||
|
|
|||
| parts := strings.SplitN(network, ":", 2) | |||
There was a problem hiding this comment.
Recommendation: If length on this is 2, we should probably throw away cniNets below (options should only be given if you're not specifying more than 1 seems reasonable)
|
One comment, and it would be nice to have a test; otherwise LGTM |
d6aeee8 to
98dd447
Compare
took care of the comment and added tests |
do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: containers#6912 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
98dd447 to
d35d812
Compare
|
/lgtm |
|
/hold |
|
tests are green now /hold cancel |
|
@giuseppe thanks so much for driving this forward and finally getting it all preped, perfected, and merged! quick follow up question, did this implement config-file handling as well? if so what params would need to go into which conf file to fix the original source-ip=127.0.0.1 issue that spawned this? |
no, that part is not implemented yet, it is possible to specify the new option only through the CLI |
|
Yes - we'll need a separate field for this in containers.conf |
|
Did this make it into 2.0.3? |
|
Negative - 2.0.3 is bugfixes only, this is a new feature. I think we'll probably start cutting 2.1.0 release candidates soon, though - this week or next. |
|
Thanks for this PR! The On podman 2.2.1 I can run https://gist.github.com/DavidePrincipi/6a45a7cfaf367115931eff3f50d1a681 |
@mheon does this imply the conf support is available as well? if so can you please point to the param needed and which file it needs to go into? this is a follow up to my previous ask (in July) to @giuseppe |
|
The |
This doesn't seem to work. I tried the following: [containers]
netns = 'slirp4netns:port_handler=slirp4netns' |
|
Edit: Sorry for the necro, got my years mixed up thinking the last post was only a few days ago, not ... a year ago...
I believe you want to use Which sets The manpage also shows Also be aware that unfortunately you cant mix the |
As of podman 1.8.0, because of commit da7595a, the default approach of providing
port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport,
for the purpose of providing super performance. The side-effect of this switch is
source within the container to the port-forwarded service always appears to originate
from 127.0.0.1 (see issue #5138).
This commit allows a user to specify if they want to revert to the previous approach
of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance,
restores usefulness of seeing incoming traffic origin IP addresses.
The change should be transparent; when not specified, rootlessport will continue to be
used, however if specifying --net slirp4netns:slirplisten the old approach will be used.
Note: the above may imply the restored port-forwarding via slirp4netns is not as
performant as the new rootlessport approach, however the figures shared in the original
commit that introduced rootlessport are as follows:
slirp4netns: 8.3 Gbps,
RootlessKit: 27.3 Gbps,
which are more than sufficient for many use cases where the origin of traffic is more
important than limits that cannot be reached due to bottlenecks elsewhere.
Signed-off-by: Aleks Mariusz m.k@alek.cx
Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com
Follow up for #6324