search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.86k stars 2.42k forks source link

It seems that TPROXY does not work for me in podman. #8936

Closed daiaji closed 3 years ago

daiaji commented 3 years ago

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description When I use v2ray in archlinux container, I found that TPROXY cannot be used. And Iptables doesn't seem to work either.

Steps to reproduce the issue:

1.podman run -it archlinux bash

2.Install v2ray and cgproxy.

3.Follow this link to configure v2ray and cgproxy, and run v2ray and cgproxy.(This link provides the configuration of v2ray.)

4.cgproxy curl -vI https://www.google.com

Describe the results you received:

In addition, because I don’t know why I can’t use systemctl to start v2ray, I typed /usr/bin/v2ray -c /etc/v2ray/config.json in the terminal to run v2ray, and I got these errors.

2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 127.0.0.1:15490
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 127.0.0.1:12345
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet/udp: listening UDP on 127.0.0.1:12345
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on [::1]:12345
2021/01/10 11:26:55 [Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted

Running with sudo seems to be the same...

Since v2ray doesn't seem to work properly, cgproxy can't work for me either.

Describe the results you expected:

v2ray and cgproxy can work for me.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.2.1
API Version:  2.1.0
Go Version:   go1.15.6
Git Commit:   a0d478edea7f775b7ce32f8eb1a01e75374486cb
Built:        Wed Dec  9 05:48:23 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.22, commit: 9c34a8663b85e479e0c083801e89a2b2835228ed'
  cpus: 24
  distribution:
    distribution: manjaro
    version: unknown
  eventLogger: journald
  hostname: xxxx-home
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 10000
      size: 55537
    - container_id: 55538
      host_id: 260000
      size: 65537
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 55537
    - container_id: 55538
      host_id: 260000
      size: 65537
  kernel: 5.10.2-2-MANJARO
  linkmode: dynamic
  memFree: 19824062464
  memTotal: 33584754688
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 16792375296
  swapTotal: 16792375296
  uptime: 25m 12.02s
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
    Mirrors:
    - Insecure: false
      Location: ustc-edu-cn.mirror.aliyuncs.com
    - Insecure: false
      Location: hub-mirror.c.163.com
    - Insecure: false
      Location: registry.docker-cn.com
    Prefix: docker.io
  search:
  - docker.io
store:
  configFile: /home/xxxx/.config/containers/storage.conf
  containerStore:
    number: 11
    paused: 0
    running: 1
    stopped: 10
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/xxxx/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 7
  runRoot: /run/user/1000/containers
  volumePath: /home/xxxx/.local/share/containers/storage/volumes
version:
  APIVersion: 2.1.0
  Built: 1607464103
  BuiltTime: Wed Dec  9 05:48:23 2020
  GitCommit: a0d478edea7f775b7ce32f8eb1a01e75374486cb
  GoVersion: go1.15.6
  OsArch: linux/amd64
  Version: 2.2.1

Package info (e.g. output of rpm -q podman or apt list podman):

Name            : podman
Version         : 2.2.1-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/libpod
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  containers-common  device-mapper  iptables  libseccomp  runc  slirp4netns  libsystemd  fuse-overlayfs  libgpgme.so=11-64
Optional Deps   : podman-docker: for Docker-compatible CLI
                  btrfs-progs: support btrfs backend devices
                  catatonit: --init flag support
                  crun: support for unified cgroupsv2
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 79.09 MiB
Packager        : Morten Linderud <foxboron@archlinux.org>
Build Date      : Tue 08 Dec 2020 09:48:23 PM UTC
Install Date    : Mon 11 Jan 2021 01:24:49 PM UTC
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

physical

rhatdan commented 3 years ago

Could you try it as root?

daiaji commented 3 years ago

Even if you use sudo su to switch to the root user to run podman, the result is the same.

rhatdan commented 3 years ago

Does this container image work with Docker?

You should first try with --privileged and see if it works then.

daiaji commented 3 years ago

Does this container image work with Docker?

You should first try with --privileged and see if it works then.

docker

# v2ray -c /etc/v2ray/config.json 
V2Ray 4.34.0 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.15.6 linux/amd64)
A unified platform for anti-censorship.
2021/01/12 14:32:54 [Info] v2ray.com/core/main/jsonem: Reading config: /etc/v2ray/config.json
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/log: Logger started
2021/01/12 14:32:54 [Info] v2ray.com/core/app/dns: DNS: created Local DOH client for https://223.5.5.5/dns-query
2021/01/12 14:32:54 [Info] v2ray.com/core/app/dns: DNS: created Remote DOH client for https://1.1.1.1/dns-query
2021/01/12 14:32:54 [Info] v2ray.com/core/app/dns: DNS: created localhost client
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>inbound_API>>>traffic>>>uplink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>inbound_API>>>traffic>>>downlink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/proxyman/inbound: creating stream worker on 127.0.0.1:15490
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>tproxy_IN_ipv4lo>>>traffic>>>uplink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>tproxy_IN_ipv4lo>>>traffic>>>downlink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/proxyman/inbound: creating stream worker on 127.0.0.1:12345
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>tproxy_IN_ipv6lo>>>traffic>>>uplink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>tproxy_IN_ipv6lo>>>traffic>>>downlink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/proxyman/inbound: creating stream worker on [::1]:12345
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>http_IN>>>traffic>>>uplink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>http_IN>>>traffic>>>downlink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/proxyman/inbound: creating stream worker on 127.0.0.1:8888
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>socks_IN>>>traffic>>>uplink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/stats: create new counter inbound>>>socks_IN>>>traffic>>>downlink
2021/01/12 14:32:54 [Debug] v2ray.com/core/app/proxyman/inbound: creating stream worker on 0.0.0.0:1080
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 127.0.0.1:15490
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 127.0.0.1:12345
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/udp: listening UDP on 127.0.0.1:12345
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on [::1]:12345
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/udp: listening UDP on [::1]:12345
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 127.0.0.1:8888
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/tcp: listening TCP on 0.0.0.0:1080
2021/01/12 14:32:54 [Info] v2ray.com/core/transport/internet/udp: listening UDP on 0.0.0.0:1080
2021/01/12 14:32:54 [Warning] v2ray.com/core: V2Ray 4.34.0 started

There doesn't seem to be a permission issue. Although cgproxy does not seem to work properly in the end. (Maybe because iptables is not working properly).

I used the --privileged parameter for podman, and the lack of permission error stopped. But cgproxy still does not work, and iptables does not seem to be effective.

After that, I tried to start /sbin/init, but when systemd started, all this still did not improve. To be honest, I even tried to run all this in lxc, but it was still useless (although I actually run in lxc manjaro). Will iptables really work for me in a container environment?

rhatdan commented 3 years ago

Not sure what TPROXY is doing, but could you try with the host network.

--net=host

daiaji commented 3 years ago

Not sure what TPROXY is doing, but could you try with the host network.

--net=host

https://www.kernel.org/doc/Documentation/networking/tproxy.txt It looks like this, but can iptables really work in a container?

rhatdan commented 3 years ago

They can work within a --privileged container, but I believe you want them on the host network, not buried on a VPN. Since this is not a podman issue, I am going to close.