contrib: podman: Add bound address configuration, update port specifications

Rebase the patch for Podman on top of current upstream, and:

- add support for configuration of specific addresses for forwarded
  ports

- by default, disable port forwarding, and reflect this in the man
  page changes

- adjust processing to a new, incompatible format for port storage,
  which I couldn't actually track down to a specific commit, but
  that resulted in https://github.com/containers/podman/issues/13643
  and commit eedaaf33cdbf ("fix slirp4netns port forwarding with
  ranges")

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2022-05-02 21:46:13 +02:00
parent 3f2e7098ac
commit bdcfe4749e

View file

@ -1,6 +1,6 @@
From bcfd618a316097e5d2e1a20703b11beeb21b6899 Mon Sep 17 00:00:00 2001 From 657f20a4e57ec0deada4c6d02810e52c81c37cf1 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com> From: Stefano Brivio <sbrivio@redhat.com>
Date: Sat, 19 Feb 2022 04:54:09 +0100 Date: Mon, 2 May 2022 16:12:07 +0200
Subject: [PATCH] libpod: Add pasta networking mode Subject: [PATCH] libpod: Add pasta networking mode
Conceptually equivalent to networking by means of slirp4netns(1), Conceptually equivalent to networking by means of slirp4netns(1),
@ -20,8 +20,8 @@ with a few practical differences:
translation), and keeps the original source address for non-local translation), and keeps the original source address for non-local
connections like slirp4netns does connections like slirp4netns does
- IPv6 is enabled by default, it's not an experimental feature. It - IPv6 is not an experimental feature, and enabled by default. IPv6
can be disabled using additional options as documented port forwarding is supported
- by default, addresses and routes are copied from the host, that is, - by default, addresses and routes are copied from the host, that is,
container users will see the same IP address and routes as if they container users will see the same IP address and routes as if they
@ -41,25 +41,25 @@ Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
SPDX-FileCopyrightText: 2021-2022 Red Hat GmbH <sbrivio@redhat.com> SPDX-FileCopyrightText: 2021-2022 Red Hat GmbH <sbrivio@redhat.com>
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
docs/source/markdown/podman-create.1.md | 40 ++++++++++++- docs/source/markdown/podman-create.1.md | 48 ++++++++-
docs/source/markdown/podman-pod-create.1.md | 33 +++++++++++ docs/source/markdown/podman-pod-create.1.md | 44 ++++++++
docs/source/markdown/podman-run.1.md | 38 +++++++++++- docs/source/markdown/podman-run.1.md | 49 ++++++++-
docs/source/markdown/podman.1.md | 6 +- docs/source/markdown/podman.1.md | 6 +-
libpod/networking_linux.go | 6 +- libpod/networking_linux.go | 6 +-
libpod/networking_pasta.go | 64 +++++++++++++++++++++ libpod/networking_pasta.go | 107 ++++++++++++++++++++
pkg/namespaces/namespaces.go | 6 ++ pkg/namespaces/namespaces.go | 6 ++
pkg/specgen/generate/namespaces.go | 10 ++++ pkg/specgen/generate/namespaces.go | 10 ++
pkg/specgen/generate/pod_create.go | 6 ++ pkg/specgen/generate/pod_create.go | 6 ++
pkg/specgen/namespaces.go | 18 +++++- pkg/specgen/namespaces.go | 18 +++-
pkg/specgen/podspecgen.go | 2 +- pkg/specgen/podspecgen.go | 2 +-
11 files changed, 215 insertions(+), 14 deletions(-) 11 files changed, 288 insertions(+), 14 deletions(-)
create mode 100644 libpod/networking_pasta.go create mode 100644 libpod/networking_pasta.go
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 2a0f3b738..5cc03bff3 100644 index c63e8814b..9ffb5fff0 100644
--- a/docs/source/markdown/podman-create.1.md --- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md
@@ -699,12 +699,19 @@ Valid _mode_ values are: @@ -712,10 +712,15 @@ Valid _mode_ values are:
- **interface_name**: Specify a name for the created network interface inside the container. - **interface_name**: Specify a name for the created network interface inside the container.
For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`.
@ -73,25 +73,26 @@ index 2a0f3b738..5cc03bff3 100644
- **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
+ +
- **ns:**_path_: Path to a network namespace to join. - **ns:**_path_: Path to a network namespace to join.
+ - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones.
- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf:
+ @@ -731,6 +736,40 @@ Valid _mode_ values are:
- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options:
- **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`, which is added to `/etc/hosts` as `host.containers.internal` for your convenience). Default is false.
- **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
@@ -718,6 +725,30 @@ Valid _mode_ values are:
Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks. Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
- **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks. - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+- **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking +- **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking
+stack. By default, IPv4 and IPv6 addresses and routes, as well as the pod +stack. By default, IPv4 and IPv6 addresses and routes, as well as the pod
+interface name, are copied from the host. If port forwarding isn't configured, +interface name, are copied from the host. Port forwarding preserves the original
+ports will be forwarded dynamically as services are bound on either side (init +source IP address. Options described in pasta(1) can be specified as
+namespace or container namespace). Port forwarding preserves the original source +comma-separated arguments.
+IP address. Options described in pasta(1) can be specified as comma-separated +
+arguments. In terms of pasta(1) options, only **--config-net** is given by +In terms of pasta(1) options, **--config-net** is given by default, in order to
+default, in order to configure networking when the container is started. Some +configure networking when the container is started. Also, **-t none** and
+examples: +**-u none** are passed if, respectively, no TCP or UDP port forwarding from host
+to container is configured, to disable automatic port forwarding based on bound
+ports. Similarly, **-T none** and **-U none** are also given to disable the same
+functionality from container to host.
+
+Some examples:
+ - **pasta:--no-map-gw**: Don't allow the container to directly reach the host + - **pasta:--no-map-gw**: Don't allow the container to directly reach the host
+ using the gateway address, which would normally be mapped to a loopback or + using the gateway address, which would normally be mapped to a loopback or
+ link-local address. + link-local address.
@ -106,11 +107,16 @@ index 2a0f3b738..5cc03bff3 100644
+ equivalent to default slirp4netns(1) options with Podman overrides: same as + equivalent to default slirp4netns(1) options with Podman overrides: same as
+ above, but leave the MTU to 65520 bytes, and don't map the gateway address + above, but leave the MTU to 65520 bytes, and don't map the gateway address
+ from the container to a local address. + from the container to a local address.
+ - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding
+ based on observed bound ports from both host and container sides
+ - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to
+ host, using the loopback interface instead of the tap interface for improved
+ performance
+ +
#### **--network-alias**=*alias* #### **--network-alias**=*alias*
Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option.
@@ -1551,8 +1582,9 @@ In order for users to run rootless, there must be an entry for their username in @@ -1583,8 +1622,9 @@ In order for users to run rootless, there must be an entry for their username in
Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed. Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed.
The fuse-overlayfs package provides a userspace overlay storage driver, otherwise users need to use The fuse-overlayfs package provides a userspace overlay storage driver, otherwise users need to use
@ -122,7 +128,7 @@ index 2a0f3b738..5cc03bff3 100644
## ENVIRONMENT ## ENVIRONMENT
@@ -1601,7 +1633,9 @@ page. @@ -1633,7 +1673,9 @@ page.
NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`. NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
## SEE ALSO ## SEE ALSO
@ -134,10 +140,10 @@ index 2a0f3b738..5cc03bff3 100644
## HISTORY ## HISTORY
October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman `<dwalsh@redhat.com>` October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman `<dwalsh@redhat.com>`
diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md
index 8088e1d62..c94ac6061 100644 index 714909b98..2b82d9380 100644
--- a/docs/source/markdown/podman-pod-create.1.md --- a/docs/source/markdown/podman-pod-create.1.md
+++ b/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md
@@ -175,12 +175,19 @@ Valid _mode_ values are: @@ -164,10 +164,15 @@ Valid _mode_ values are:
- **interface_name**: Specify a name for the created network interface inside the container. - **interface_name**: Specify a name for the created network interface inside the container.
For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`.
@ -151,13 +157,9 @@ index 8088e1d62..c94ac6061 100644
- **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
+ +
- **ns:**_path_: Path to a network namespace to join. - **ns:**_path_: Path to a network namespace to join.
+ - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones.
- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf:
+ @@ -183,6 +188,43 @@ Valid _mode_ values are:
- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options:
- **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`, which is added to `/etc/hosts` as `host.containers.internal` for your convenience). Default is false.
- **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
@@ -194,6 +201,30 @@ Valid _mode_ values are:
Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks. Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
- **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks. - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
@ -167,9 +169,17 @@ index 8088e1d62..c94ac6061 100644
+ports will be forwarded dynamically as services are bound on either side (init +ports will be forwarded dynamically as services are bound on either side (init
+namespace or container namespace). Port forwarding preserves the original source +namespace or container namespace). Port forwarding preserves the original source
+IP address. Options described in pasta(1) can be specified as comma-separated +IP address. Options described in pasta(1) can be specified as comma-separated
+arguments. In terms of pasta(1) options, only **--config-net** is given by +arguments.
+default, in order to configure networking when the container is started. Some +
+examples: +
+In terms of pasta(1) options, **--config-net** is given by default, in order to
+configure networking when the container is started. Also, **-t none** and
+**-u none** are passed if, respectively, no TCP or UDP port forwarding from host
+to container is configured, to disable automatic port forwarding based on bound
+ports. Similarly, **-T none** and **-U none** are also given to disable the same
+functionality from container to host.
+
+Some examples:
+ - **pasta:--no-map-gw**: Don't allow the container to directly reach the host + - **pasta:--no-map-gw**: Don't allow the container to directly reach the host
+ using the gateway address, which would normally be mapped to a loopback or + using the gateway address, which would normally be mapped to a loopback or
+ link-local address. + link-local address.
@ -184,11 +194,16 @@ index 8088e1d62..c94ac6061 100644
+ equivalent to default slirp4netns(1) options with Podman overrides: same as + equivalent to default slirp4netns(1) options with Podman overrides: same as
+ above, but leave the MTU to 65520 bytes, and don't map the gateway address + above, but leave the MTU to 65520 bytes, and don't map the gateway address
+ from the container to a local address. + from the container to a local address.
+ - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding
+ based on observed bound ports from both host and container sides
+ - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to
+ host, using the loopback interface instead of the tap interface for improved
+ performance
+ +
#### **--network-alias**=*alias* #### **--network-alias**=*alias*
Add a network-scoped alias for the pod, setting the alias for all networks that the pod joins. To set a name only for a specific network, use the alias option as described under the **--network** option. Add a network-scoped alias for the pod, setting the alias for all networks that the pod joins. To set a name only for a specific network, use the alias option as described under the **--network** option.
@@ -527,6 +558,8 @@ $ podman pod create --network slirp4netns:outbound_addr=127.0.0.1,allow_host_loo @@ -550,6 +592,8 @@ $ podman pod create --network slirp4netns:outbound_addr=127.0.0.1,allow_host_loo
$ podman pod create --network slirp4netns:cidr=192.168.0.0/24 $ podman pod create --network slirp4netns:cidr=192.168.0.0/24
@ -198,10 +213,10 @@ index 8088e1d62..c94ac6061 100644
``` ```
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 239cf3b83..7c12f5e88 100644 index 9d9394020..1143284bf 100644
--- a/docs/source/markdown/podman-run.1.md --- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md
@@ -726,12 +726,19 @@ Valid _mode_ values are: @@ -738,10 +738,15 @@ Valid _mode_ values are:
- **interface_name**: Specify a name for the created network interface inside the container. - **interface_name**: Specify a name for the created network interface inside the container.
For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`.
@ -215,13 +230,9 @@ index 239cf3b83..7c12f5e88 100644
- **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
+ +
- **ns:**_path_: Path to a network namespace to join. - **ns:**_path_: Path to a network namespace to join.
+ - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootful containers and **slirp4netns** for rootless ones.
- **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf:
+ @@ -757,6 +762,43 @@ Valid _mode_ values are:
- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options:
- **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`, which is added to `/etc/hosts` as `host.containers.internal` for your convenience). Default is false.
- **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
@@ -745,6 +752,30 @@ Valid _mode_ values are:
Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks. Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
- **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks. - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
@ -231,9 +242,17 @@ index 239cf3b83..7c12f5e88 100644
+ports will be forwarded dynamically as services are bound on either side (init +ports will be forwarded dynamically as services are bound on either side (init
+namespace or container namespace). Port forwarding preserves the original source +namespace or container namespace). Port forwarding preserves the original source
+IP address. Options described in pasta(1) can be specified as comma-separated +IP address. Options described in pasta(1) can be specified as comma-separated
+arguments. In terms of pasta(1) options, only **--config-net** is given by +arguments.
+default, in order to configure networking when the container is started. Some +
+examples: +
+In terms of pasta(1) options, **--config-net** is given by default, in order to
+configure networking when the container is started. Also, **-t none** and
+**-u none** are passed if, respectively, no TCP or UDP port forwarding from host
+to container is configured, to disable automatic port forwarding based on bound
+ports. Similarly, **-T none** and **-U none** are also given to disable the same
+functionality from container to host.
+
+Some examples:
+ - **pasta:--no-map-gw**: Don't allow the container to directly reach the host + - **pasta:--no-map-gw**: Don't allow the container to directly reach the host
+ using the gateway address, which would normally be mapped to a loopback or + using the gateway address, which would normally be mapped to a loopback or
+ link-local address. + link-local address.
@ -248,11 +267,16 @@ index 239cf3b83..7c12f5e88 100644
+ equivalent to default slirp4netns(1) options with Podman overrides: same as + equivalent to default slirp4netns(1) options with Podman overrides: same as
+ above, but leave the MTU to 65520 bytes, and don't map the gateway address + above, but leave the MTU to 65520 bytes, and don't map the gateway address
+ from the container to a local address. + from the container to a local address.
+ - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding
+ based on observed bound ports from both host and container sides
+ - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to
+ host, using the loopback interface instead of the tap interface for improved
+ performance
+ +
#### **--network-alias**=*alias* #### **--network-alias**=*alias*
Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option.
@@ -1935,8 +1966,9 @@ In order for users to run rootless, there must be an entry for their username in @@ -1963,8 +2005,9 @@ In order for users to run rootless, there must be an entry for their username in
Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed. Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed.
The **fuse-overlayfs** package provides a userspace overlay storage driver, otherwise users need to use The **fuse-overlayfs** package provides a userspace overlay storage driver, otherwise users need to use
@ -264,7 +288,7 @@ index 239cf3b83..7c12f5e88 100644
## ENVIRONMENT ## ENVIRONMENT
@@ -1983,7 +2015,7 @@ page. @@ -2011,7 +2054,7 @@ page.
NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`. NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
## SEE ALSO ## SEE ALSO
@ -274,19 +298,19 @@ index 239cf3b83..7c12f5e88 100644
## HISTORY ## HISTORY
September 2018, updated by Kunal Kushwaha `<kushwaha_kunal_v7@lab.ntt.co.jp>` September 2018, updated by Kunal Kushwaha `<kushwaha_kunal_v7@lab.ntt.co.jp>`
diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md
index b318001e4..1ad808cba 100644 index 3d1578ea1..0768fd082 100644
--- a/docs/source/markdown/podman.1.md --- a/docs/source/markdown/podman.1.md
+++ b/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md
@@ -95,7 +95,7 @@ Set libpod namespace. Namespaces are used to separate groups of containers and p @@ -88,7 +88,7 @@ Set libpod namespace. Namespaces are used to separate groups of containers and p
When namespace is set, created containers and pods will join the given namespace, and only containers and pods in the given namespace will be visible to Podman. When namespace is set, created containers and pods will join the given namespace, and only containers and pods in the given namespace will be visible to Podman.
#### **--network-cmd-path**=*path* #### **--network-cmd-path**=*path*
-Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns network. If "" is used then the binary is looked up using the $PATH environment variable. -Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns network. If "" is used then the binary is looked up using the $PATH environment variable.
+Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns(1) or pasta(1) network. If "" is used then the binary is looked up using the $PATH environment variable. +Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns(1) or pasta(1) network. If "" is used then the binary is looked up using the $PATH environment variable.
#### **--noout** #### **--network-config-dir**=*directory*
@@ -409,7 +409,7 @@ See the `subuid(5)` and `subgid(5)` man pages for more information. @@ -415,7 +415,7 @@ See the `subuid(5)` and `subgid(5)` man pages for more information.
Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`. Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`.
@ -295,7 +319,7 @@ index b318001e4..1ad808cba 100644
In certain environments like HPC (High Performance Computing), users cannot take advantage of the additional UIDs and GIDs from the /etc/subuid and /etc/subgid systems. However, in this environment, rootless Podman can operate with a single UID. To make this work, set the `ignore_chown_errors` option in the /etc/containers/storage.conf or in ~/.config/containers/storage.conf files. This option tells Podman when pulling an image to ignore chown errors when attempting to change a file in a container image to match the non-root UID in the image. This means all files get saved as the user's UID. Note this could cause issues when running the container. In certain environments like HPC (High Performance Computing), users cannot take advantage of the additional UIDs and GIDs from the /etc/subuid and /etc/subgid systems. However, in this environment, rootless Podman can operate with a single UID. To make this work, set the `ignore_chown_errors` option in the /etc/containers/storage.conf or in ~/.config/containers/storage.conf files. This option tells Podman when pulling an image to ignore chown errors when attempting to change a file in a container image to match the non-root UID in the image. This means all files get saved as the user's UID. Note this could cause issues when running the container.
@@ -422,7 +422,7 @@ The Network File System (NFS) and other distributed file systems (for example: L @@ -428,7 +428,7 @@ The Network File System (NFS) and other distributed file systems (for example: L
For more information, please refer to the [Podman Troubleshooting Page](https://github.com/containers/podman/blob/main/troubleshooting.md). For more information, please refer to the [Podman Troubleshooting Page](https://github.com/containers/podman/blob/main/troubleshooting.md).
## SEE ALSO ## SEE ALSO
@ -305,10 +329,10 @@ index b318001e4..1ad808cba 100644
## HISTORY ## HISTORY
Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com> Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com>
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 19d5c7f76..183f815ba 100644 index 0c124cf0b..4d25e26f2 100644
--- a/libpod/networking_linux.go --- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go +++ b/libpod/networking_linux.go
@@ -636,6 +636,9 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) (status map[str @@ -644,6 +644,9 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) (status map[str
if ctr.config.NetMode.IsSlirp4netns() { if ctr.config.NetMode.IsSlirp4netns() {
return nil, r.setupSlirp4netns(ctr, ctrNS) return nil, r.setupSlirp4netns(ctr, ctrNS)
} }
@ -318,22 +342,22 @@ index 19d5c7f76..183f815ba 100644
networks, err := ctr.networks() networks, err := ctr.networks()
if err != nil { if err != nil {
return nil, err return nil, err
@@ -806,7 +809,8 @@ func (r *Runtime) teardownCNI(ctr *Container) error { @@ -811,7 +814,8 @@ func (r *Runtime) teardownCNI(ctr *Container) error {
return err return err
} }
- if !ctr.config.NetMode.IsSlirp4netns() && len(networks) > 0 { - if !ctr.config.NetMode.IsSlirp4netns() && len(networks) > 0 {
+ if !ctr.config.NetMode.IsSlirp4netns() && + if !ctr.config.NetMode.IsSlirp4netns() &&
+ !ctr.config.NetMode.IsPasta() && len(networks) > 0 { + !ctr.config.NetMode.IsPasta() && len(networks) > 0 {
netOpts, err := ctr.getNetworkOptions(networks) netOpts := ctr.getNetworkOptions(networks)
if err != nil { return r.teardownNetwork(ctr.state.NetNS.Path(), netOpts)
return err }
diff --git a/libpod/networking_pasta.go b/libpod/networking_pasta.go diff --git a/libpod/networking_pasta.go b/libpod/networking_pasta.go
new file mode 100644 new file mode 100644
index 000000000..71595c87c index 000000000..66f81cbfc
--- /dev/null --- /dev/null
+++ b/libpod/networking_pasta.go +++ b/libpod/networking_pasta.go
@@ -0,0 +1,64 @@ @@ -0,0 +1,107 @@
+// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: Apache-2.0
+// +//
+// networking_pasta.go - Start pasta(1) to provide connectivity to the container +// networking_pasta.go - Start pasta(1) to provide connectivity to the container
@ -356,13 +380,17 @@ index 000000000..71595c87c
+) +)
+ +
+func (r *Runtime) setupPasta(ctr *Container, netns ns.NetNS) error { +func (r *Runtime) setupPasta(ctr *Container, netns ns.NetNS) error {
+ var NoTCPInitPorts = true
+ var NoUDPInitPorts = true
+ var NoTCPNamespacePorts = true
+ var NoUDPNamespacePorts = true
+
+ path := r.config.Engine.NetworkCmdPath + path := r.config.Engine.NetworkCmdPath
+ if path == "" { + if path == "" {
+ var err error + var err error
+ path, err = exec.LookPath("pasta") + path, err = exec.LookPath("pasta")
+ if err != nil { + if err != nil {
+ logrus.Errorf("Could not find pasta, the network namespace won't be configured: %v", err) + return fmt.Errorf("could not find pasta, the network namespace can't be configured: %w", err)
+ return nil
+ } + }
+ } + }
+ +
@ -370,21 +398,60 @@ index 000000000..71595c87c
+ cmdArgs = append(cmdArgs, "--config-net") + cmdArgs = append(cmdArgs, "--config-net")
+ +
+ for _, i := range ctr.convertPortMappings() { + for _, i := range ctr.convertPortMappings() {
+ if i.Protocol == "tcp" { + protocols := strings.Split(i.Protocol, ",")
+ cmdArgs = append(cmdArgs, "-t") + for _, protocol := range protocols {
+ } else if i.Protocol == "udp" { + var addr string
+ cmdArgs = append(cmdArgs, "-u")
+ } else {
+ logrus.Errorf("can't forward protocol: %s", i.Protocol)
+ return nil
+ }
+ +
+ arg := fmt.Sprintf("%d:%d", i.HostPort, i.ContainerPort) + if (i.HostIP != "") {
+ cmdArgs = append(cmdArgs, arg) + addr = fmt.Sprintf("%s/", i.HostIP)
+ } else {
+ addr = ""
+ }
+
+ if protocol == "tcp" {
+ cmdArgs = append(cmdArgs, "-t")
+ } else if protocol == "udp" {
+ cmdArgs = append(cmdArgs, "-u")
+ } else {
+ return fmt.Errorf("can't forward protocol: %s", protocol)
+ }
+
+ arg := fmt.Sprintf("%s%d-%d:%d-%d", addr,
+ i.HostPort,
+ i.HostPort + i.Range - 1,
+ i.ContainerPort,
+ i.ContainerPort + i.Range - 1)
+ cmdArgs = append(cmdArgs, arg)
+ }
+ } + }
+ +
+ cmdArgs = append(cmdArgs, ctr.config.NetworkOptions["pasta"]...) + cmdArgs = append(cmdArgs, ctr.config.NetworkOptions["pasta"]...)
+ +
+ for _, i := range cmdArgs {
+ if (i == "-t" || i == "--tcp-ports") {
+ NoTCPInitPorts = false
+ } else if (i == "-u" || i == "--udp-ports") {
+ NoUDPInitPorts = false
+ } else if (i == "-T" || i == "--tcp-ns") {
+ NoTCPNamespacePorts = false
+ } else if (i == "-U" || i == "--udp-ns") {
+ NoUDPNamespacePorts = false
+ }
+ }
+
+ if (NoTCPInitPorts) {
+ cmdArgs = append(cmdArgs, "-t", "none")
+ }
+ if (NoUDPInitPorts) {
+ cmdArgs = append(cmdArgs, "-u", "none")
+ }
+ if (NoTCPNamespacePorts) {
+ cmdArgs = append(cmdArgs, "-T", "none")
+ }
+ if (NoUDPNamespacePorts) {
+ cmdArgs = append(cmdArgs, "-U", "none")
+ }
+
+ cmdArgs = append(cmdArgs, netns.Path()) + cmdArgs = append(cmdArgs, netns.Path())
+ +
+ logrus.Debugf("pasta arguments: %s", strings.Join(cmdArgs, " ")) + logrus.Debugf("pasta arguments: %s", strings.Join(cmdArgs, " "))
@ -399,7 +466,7 @@ index 000000000..71595c87c
+ return nil + return nil
+} +}
diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go
index a7736aee0..0b2cb2b0b 100644 index c95f8e275..46fa74640 100644
--- a/pkg/namespaces/namespaces.go --- a/pkg/namespaces/namespaces.go
+++ b/pkg/namespaces/namespaces.go +++ b/pkg/namespaces/namespaces.go
@@ -19,6 +19,7 @@ const ( @@ -19,6 +19,7 @@ const (
@ -410,7 +477,7 @@ index a7736aee0..0b2cb2b0b 100644
) )
// CgroupMode represents cgroup mode in the container. // CgroupMode represents cgroup mode in the container.
@@ -388,6 +389,11 @@ func (n NetworkMode) IsSlirp4netns() bool { @@ -393,6 +394,11 @@ func (n NetworkMode) IsSlirp4netns() bool {
return n == slirpType || strings.HasPrefix(string(n), slirpType+":") return n == slirpType || strings.HasPrefix(string(n), slirpType+":")
} }
@ -423,15 +490,15 @@ index a7736aee0..0b2cb2b0b 100644
func (n NetworkMode) IsNS() bool { func (n NetworkMode) IsNS() bool {
return strings.HasPrefix(string(n), nsType) return strings.HasPrefix(string(n), nsType)
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
index 3f77cbe76..a72be1731 100644 index 37d561ec2..3404746ee 100644
--- a/pkg/specgen/generate/namespaces.go --- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go
@@ -258,6 +258,16 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. @@ -262,6 +262,16 @@ func namespaceOptions(s *specgen.SpecGenerator, rt *libpod.Runtime, pod *libpod.
val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value) val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value)
} }
toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, val, nil)) toReturn = append(toReturn, libpod.WithNetNS(portMappings, expose, postConfigureNetNS, val, nil))
+ case specgen.Pasta: + case specgen.Pasta:
+ portMappings, expose, err := createPortMappings(ctx, s, imageData) + portMappings, expose, err := createPortMappings(s, imageData)
+ if err != nil { + if err != nil {
+ return nil, err + return nil, err
+ } + }
@ -444,10 +511,10 @@ index 3f77cbe76..a72be1731 100644
fallthrough fallthrough
case specgen.Bridge: case specgen.Bridge:
diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
index 68fda3ad7..0d64027a3 100644 index a3408b402..7d83e9ae1 100644
--- a/pkg/specgen/generate/pod_create.go --- a/pkg/specgen/generate/pod_create.go
+++ b/pkg/specgen/generate/pod_create.go +++ b/pkg/specgen/generate/pod_create.go
@@ -232,6 +232,12 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) { @@ -233,6 +233,12 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) {
p.InfraContainerSpec.NetworkOptions = p.NetworkOptions p.InfraContainerSpec.NetworkOptions = p.NetworkOptions
p.InfraContainerSpec.NetNS.NSMode = specgen.NamespaceMode("slirp4netns") p.InfraContainerSpec.NetNS.NSMode = specgen.NamespaceMode("slirp4netns")
} }
@ -461,10 +528,10 @@ index 68fda3ad7..0d64027a3 100644
logrus.Debugf("Pod will not use networking") logrus.Debugf("Pod will not use networking")
if len(p.InfraContainerSpec.PortMappings) > 0 || if len(p.InfraContainerSpec.PortMappings) > 0 ||
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index e672bc65f..c7d443661 100644 index 7a7ca2706..861d08f89 100644
--- a/pkg/specgen/namespaces.go --- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go
@@ -47,6 +47,9 @@ const ( @@ -51,6 +51,9 @@ const (
// be used. // be used.
// Only used with the network namespace, invalid otherwise. // Only used with the network namespace, invalid otherwise.
Slirp NamespaceMode = "slirp4netns" Slirp NamespaceMode = "slirp4netns"
@ -474,7 +541,7 @@ index e672bc65f..c7d443661 100644
// KeepId indicates a user namespace to keep the owner uid inside // KeepId indicates a user namespace to keep the owner uid inside
// of the namespace itself. // of the namespace itself.
// Only used with the user namespace, invalid otherwise. // Only used with the user namespace, invalid otherwise.
@@ -135,7 +138,7 @@ func validateNetNS(n *Namespace) error { @@ -153,7 +156,7 @@ func validateNetNS(n *Namespace) error {
return nil return nil
} }
switch n.NSMode { switch n.NSMode {
@ -483,7 +550,7 @@ index e672bc65f..c7d443661 100644
break break
case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge: case "", Default, Host, Path, FromContainer, FromPod, Private, NoNetwork, Bridge:
break break
@@ -167,7 +170,7 @@ func (n *Namespace) validate() error { @@ -196,7 +199,7 @@ func (n *Namespace) validate() error {
switch n.NSMode { switch n.NSMode {
case "", Default, Host, Path, FromContainer, FromPod, Private: case "", Default, Host, Path, FromContainer, FromPod, Private:
// Valid, do nothing // Valid, do nothing
@ -492,7 +559,7 @@ index e672bc65f..c7d443661 100644
return errors.Errorf("cannot use network modes with non-network namespace") return errors.Errorf("cannot use network modes with non-network namespace")
default: default:
return errors.Errorf("invalid namespace type %s specified", n.NSMode) return errors.Errorf("invalid namespace type %s specified", n.NSMode)
@@ -281,6 +284,8 @@ func ParseNetworkNamespace(ns string, rootlessDefaultCNI bool) (Namespace, map[s @@ -328,6 +331,8 @@ func ParseNetworkNamespace(ns string, rootlessDefaultCNI bool) (Namespace, map[s
switch { switch {
case ns == string(Slirp), strings.HasPrefix(ns, string(Slirp)+":"): case ns == string(Slirp), strings.HasPrefix(ns, string(Slirp)+":"):
toReturn.NSMode = Slirp toReturn.NSMode = Slirp
@ -501,7 +568,7 @@ index e672bc65f..c7d443661 100644
case ns == string(FromPod): case ns == string(FromPod):
toReturn.NSMode = FromPod toReturn.NSMode = FromPod
case ns == "" || ns == string(Default) || ns == string(Private): case ns == "" || ns == string(Default) || ns == string(Private):
@@ -349,6 +354,13 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork @@ -396,6 +401,13 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork
networkOptions[parts[0]] = strings.Split(parts[1], ",") networkOptions[parts[0]] = strings.Split(parts[1], ",")
} }
toReturn.NSMode = Slirp toReturn.NSMode = Slirp
@ -515,7 +582,7 @@ index e672bc65f..c7d443661 100644
case ns == string(FromPod): case ns == string(FromPod):
toReturn.NSMode = FromPod toReturn.NSMode = FromPod
case ns == "" || ns == string(Default) || ns == string(Private): case ns == "" || ns == string(Default) || ns == string(Private):
@@ -425,7 +437,7 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork @@ -472,7 +484,7 @@ func ParseNetworkFlag(networks []string) (Namespace, map[string]types.PerNetwork
if parts[0] == "" { if parts[0] == "" {
return toReturn, nil, nil, errors.Wrapf(define.ErrInvalidArg, "network name cannot be empty") return toReturn, nil, nil, errors.Wrapf(define.ErrInvalidArg, "network name cannot be empty")
} }
@ -538,5 +605,5 @@ index 759caa0c0..f95bbffc7 100644
PortMappings []types.PortMapping `json:"portmappings,omitempty"` PortMappings []types.PortMapping `json:"portmappings,omitempty"`
// Map of networks names to ids the container should join to. // Map of networks names to ids the container should join to.
-- --
2.28.0 2.35.1