cfergeau
commented
1 day ago This can be reproduced with podman machine by following these steps (I tested on a mac):
- if podman was installed with their installer, replace
/opt/podman/bin/gvproxywith the binary you want to test podman machine stop && podman machine startpodman run -it -rm -p 8111:8111 ubi9- in the container,
yum install nmap-ncatfollowed bync -l -k -v 8111 - in another terminal on the mac,
echo hello | nc localhost 8111 - if this command does not return without ctrl+c, then you are seeing the bug
- you can also run it multiple times in a row, and then check
lsof -nP -iTCP | grep 8111, there will be multiple lines when the bug occurs
We cannot use the latest github.com/inetaf/tcpproxy commit because of https://github.com/containers/gvisor-tap-vsock/commit/61dc4e1eb260427d9a39ccaeeb75fe85be7dcccc which causes a regression in podman https://github.com/containers/podman/issues/23616
My feeling is that this revert is either hiding a gvisor-tap-sock bug which has been present for a long time, or it's avoiding a newly introduced bug in inetaf/tcpproxy. In either cases ,it would be good to understand better what caused the issue leading to the revert. The podman bug has a reproducer for it.