Add pesto support for dynamic port forwarding via pasta control socket#755
Add pesto support for dynamic port forwarding via pasta control socket#755Honny1 wants to merge 1 commit intocontainers:mainfrom
pesto support for dynamic port forwarding via pasta control socket#755Conversation
Honny1
force-pushed
the
pesto-support
branch
3 times, most recently
from
83c12a5 to
36bdb53
Compare
| } | ||
|
|
||
| args := portMappingsToPestoArgs(ports) | ||
| args = append(args, socketPath) |
There was a problem hiding this comment.
No, it cannot be. It should be checked by the caller. Should I add a check to be sure?
| // does NOT perform DNAT to the container. Netavark handles that inside the | ||
| // netns. Therefore each mapping uses HostPort as both source and destination | ||
| // (e.g. "-t 0.0.0.0/8080") so traffic arrives at the port netavark expects. | ||
| func portMappingsToPestoArgs(ports []types.PortMapping) []string { |
There was a problem hiding this comment.
does this func make sense if ports is empty? i think you will get something in args that is not expected?
There was a problem hiding this comment.
I think this makes sense. If no ports are specified, it will set -t none -u none, meaning no ports will be forwarded.
Luap99
added
the
podman 6
|
Packit jobs failed. @containers/packit-build please check. |
|
/packit rebuild-failed |
1 similar comment
|
/packit rebuild-failed |
Fixes: https://redhat.atlassian.net/browse/RUN-2214 Fixes: containers/podman#8193 Fixes: https://redhat.atlassian.net/browse/RUN-3587 Signed-off-by: Jan Rodák <hony.com@seznam.cz>
|
Since GH PR reviews are down posted here in the hope it works Not supporting ipv6 here is a hard blocker which we cannot ship with as this would be a major regression. ipv6 dnat work for all addresses except Testing locally with the --no-splice option even the real problem is not packets are send via link local address with is never routed fe80::8880:e9ff:fead:a5cc is the link local inside the rootless netns But I do have an actual global address assigned as well So why is pasta not forwarding to that address? If it would do that then it should work I think Then there is the larger design issue that comes due stripping off the host ip on the podman side in the rootless netns. All packets arrive only on the tap interface in pasta so the netns has no longer any way to route them to the right container ip as the real host ip info is lost at that point, i.e. try something like this all, request will land in one container which is bad and I Am not sure how we could even avoid this here. It is essentially this machine problem containers/podman#14928, we would need to remap ports in the rootless netns dynamically but this is ugly as we need to keep state and it also means we can run out of ports if users forward a lot of ports on many ips on the host but the pasta tap0 interface would only have one set so we get capped at 65535 I guess |
@sbrivio-rh @dgibson I think you talked about the flow table possibly having a destination ip. Is that something that would work today already? I guess it could used to avoid the issue if podman passes the final container ip right with the port mappings and then skip the dnat firewall rules completely because pasta handles it directly in one go |
I just noticed I tested with the wrong network without ipv6 enabled, we must test with a network created with |
3 participants
pesto_linux.go) that invokes the pesto binary to dynamically update pasta's port forwarding table via a UNIX domain socket, enabling rootless bridge containers to add/remove port mappings without restarting pasta.-c <socketPath>to enable the pesto control channel and exposePestoSocketPathinRootlessNetnsInfo.Related to: containers/podman#28478
Fixes: https://redhat.atlassian.net/browse/RUN-2214
Fixes: containers/podman#8193
Fixes: https://redhat.atlassian.net/browse/RUN-3587