Closed flyhigao closed 5 years ago
@flyhigao as by design containers cannot sniff traffic unless given a permission to do so. -o privileged gives privilege to netdevice to receive packets which are not destined to it. But you still need to give permission to container using CAP_NET_RAW, CAP_NET_ADMIN to allow tcpdump to put the netdevice in promiscuous mode.
So when you run container using docker run --net=enp7s0f2 -itd --name=tcpdump corfr/tcpdump
add either --privileged or do --caps=NET_RAW --cap=NET_ADMIN.
@paravmellanox thanks for the super fast reply :)
but curious , even I add privilied to tcpdump container , and set container eth0 promisc successful .the tcpdump still can't sniffer the promisc packet ,while the host nic RX is increasing(pktgen from other machine).
now my command is :
docker pull rdma/sriov-plugin
ifconfig enp7s0f2 promisc
docker run -v /run/docker/plugins:/run/docker/plugins -v /etc/docker:/etc/docker -v /var/run:/var/run --net=host --name sriov-plugin-docker --privileged rdma/sriov-plugin
docker network create -d sriov --subnet=192.168.70.0/24 -o netdevice=enp7s0f2 -o privileged=1 enp7s0f2
docker run --net=enp7s0f2 --name=tcpdump --privileged --cap-add=NET_RAW --cap-add=NET_ADMIN --rm corfr/tcpdump
in my host:
[root@localhost ~]# ifconfig enp7s0f2
enp7s0f2: flags=4419<UP,BROADCAST,RUNNING,**PROMISC**,MULTICAST> mtu 1500
ether ec:d6:8a:2c:7d:f9 txqueuelen 1000 (Ethernet)
RX packets **13368953** bytes 814420040 (776.6 MiB)
in my tcpdump container:
/ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr A2:69:20:54:9C:AD
inet addr:192.168.70.2 Bcast:192.168.70.255 Mask:255.255.255.0
UP BROADCAST RUNNING **PROMISC** MULTICAST MTU:1500 Metric:1
RX packets:**711** errors:0 dropped:0 overruns:0 frame:0
TX packets:660 errors:0 dropped:0 overruns:0 carrier:0
my host nic is intel I350 , do i need specific nic card to enable the packet sniffer? or do i still miss sth ?
@flyhigao , packet counter should increment on eth0 if you are sending it to this VF. That will ensure that packets are targeted to the VF. You could as well run a basic ping test from VF to some other system or VF to ensure that VF is currently doing packet tx/rx. While that is going on, you run tcpdump.
I do not know about I350 nics. We have tested it using Mellanox ConnectX4, ConnectX5 NICs.
I want tcpdump container eth0 run in Promiscuous Mode which can sniffer all the traffic on the host NIC. can sr-iov support this promiscuous mode ?
@flyhigao, VF cannot sniff of host NIC. VF can sniff its own traffic. It doesn't matter container/no-container.
i search the Mellanox doc . VF Promiscuous Rx Modes And in VF Promiscuous Rx Modes chapter,it says :
VFs can enter a promiscuous mode that enables receiving the unmatched traffic and all the multicast traffic that reaches the physical port in addition to the traffic originally targeted to the VF. The unmatched traffic is any traffic's DMAC that does not match any of the VFs' or PFs' MAC addresses. Note: Only privileged/trusted VFs can enter the VF promiscuous mode.
So , I think maybe some nic card support this function . and intel i350 doesn't suppot it . thank you @paravmellanox
@flyhigao , notice the word "unmatched". It cannot sniff matched traffic of PF. Hope you got the point.
Can you please close the case as its not related to container or this plugin.
@flyhigao thanks.
hi , I follow the readme , and running "4. Test it out - SRIOV mode" chapter fine ,it's working . now i want to run tcpdump in container with sr-iov in privileged mode:
my command:
When busybox ping tcpdump container , then the tcpdump can sniffer the incoming ping packet. But when I ping between the 2 busybox container, the tcpdump container can NOT sniffer the ping traffic .
I also try pktgen to host nic enp7s0f2 , the tcpdump container also can NOT sniffer the traffic .
In tcpdump container , i try set up promisc in eth0 ,but it fail:
do I make something wrong ? this is my host setup:
thank you for your work!