search

rootless-containers / bypass4netns

[Experimental] Accelerates slirp4netns using SECCOMP_IOCTL_NOTIF_ADDFD. As fast as `--net=host`.
https://medium.com/nttlabs/accelerating-rootless-container-network-29d0e908dda4
Apache License 2.0
125 stars 6 forks source link

`bind(2)`-related syscalls do not work well with nested containers #66

Open AkihiroSuda opened 5 months ago

AkihiroSuda commented 5 months ago

In the following example, nerdctl exec dind docker exec nginx wget -O- http://127.0.0.1 is working as expected, but nerdctl exec dind docker exec nginx wget -O- http://172.17.0.2 is failing with Host is unreachable

$ nerdctl run -d --name dind --annotation nerdctl/bypass4netns=1 --privileged docker:dind

$ nerdctl exec dind docker run -d --name nginx nginx:alpine

$ nerdctl exec dind docker exec nginx wget -O- http://127.0.0.1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[...]
</html>
Connecting to 127.0.0.1 (127.0.0.1:80)
writing to stdout
-                    100% |********************************|   615  0:00:00 ETA
written to stdout

$ nerdctl exec dind docker exec nginx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

$ nerdctl exec dind docker exec nginx wget -O- http://172.17.0.2
Connecting to 172.17.0.2 (172.17.0.2:80)
wget: can't connect to remote host (172.17.0.2): Host is unreachable
FATA[0003] exec failed with exit code 1

Probably the cause is same as:

cc @naoki9911

AkihiroSuda commented 5 months ago

--annotation nerdctl/bypass4netns-ignore-subnets='["172.17.0.2/24"] works as a workaround, so this issue seems different from:

The automatic ignore list detection should still needs a fix to support nested netns though.

naoki9911 commented 5 months ago

It seems that bypass4netns could not precisely handle nested netns. I'll investigate this with https://github.com/rootless-containers/bypass4netns/issues/65