search

rootless-containers / slirp4netns

User-mode networking for unprivileged network namespaces
GNU General Public License v2.0
715 stars 82 forks source link

port is not bound on all IPs on the host when using --network=slirp4netns:port_handler=slirp4netns #316

Open guidugli opened 1 year ago

guidugli commented 1 year ago

I am trying to run PiHole as a rootless container using podman.

Everything was working fine except that the real IPs were not being logged. So I had to switch from rootlesskit to slirp4netns. But now the service cannot be reached by localhost.

Command executed: /usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace --detach=true --name pihole-server -v /opt/pihole/etc-pihole:/etc/pihole:rw -v /opt/pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw -v /opt/pihole/resolv.conf:/etc/resolv.conf:rw -p 1153:53/tcp -p 1153:53/udp -p 1180:80/tcp --memory=512M --env-file=config.env --network=slirp4netns:port_handler=slirp4netns docker.io/guidugli/pihole-unbound:latest

When using rootlesskit the port is bound to all interfaces:

pihole@pihole:~$ ss -ulpn State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 :1153 :* users:(("rootlessport",pid=42836,fd=14))

But when using slirp4netns, the service does not respond on localhost:

pihole@pihole:~$ ss -ulpn State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:1153 0.0.0.0:* users:(("slirp4netns",pid=43755,fd=10))

pihole@pihole:~$ dig google.com @localhost -p 1153 ;; communications error to 127.0.0.1#1153: timed out ;; communications error to 127.0.0.1#1153: timed out ;; communications error to 127.0.0.1#1153: timed out ;; communications error to 127.0.0.1#1153: timed out

; <<>> DiG 9.18.12-1-Debian <<>> google.com @localhost -p 1153 ;; global options: +cmd ;; no servers could be reached

But it respond on the interface ip:

pihole@pihole:~$ dig google.com @10.14.55.55 -p 1153 ; <<>> DiG 9.18.12-1-Debian <<>> google.com @10.14.55.55 -p 1153 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25094 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 300 IN A 142.250.219.206

;; Query time: 140 msec ;; SERVER: 10.14.55.55#1153(10.14.55.55) (UDP) ;; WHEN: Wed Jun 21 15:40:11 -03 2023 ;; MSG SIZE rcvd: 55

According to the man page, using the -p option should work this way: If host IP is set to 0.0.0.0 or not set at all, the port is bound on all IPs on the host.

Am I missing something or is this really a bug?

More info:

pihole@pihole:~$ slirp4netns --version slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.4

pihole@pihole:~$ podman --version podman version 4.3.1

pihole@pihole:~$ podman info host: arch: amd64 buildahVersion: 1.28.2 cgroupControllers:

  • cpu
  • memory
  • pids cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon_2.1.6+ds1-1_amd64 path: /usr/bin/conmon version: 'conmon version 2.1.6, commit: unknown' cpuUtilization: idlePercent: 98.08 systemPercent: 0.97 userPercent: 0.95 cpus: 1 distribution: codename: bookworm distribution: debian version: "12" eventLogger: journald hostname: pihole idMappings: gidmap:
    • container_id: 0 host_id: 1000 size: 1
    • container_id: 1 host_id: 100000 size: 65536 uidmap:
    • container_id: 0 host_id: 1000 size: 1
    • container_id: 1 host_id: 100000 size: 65536 kernel: 6.1.0-9-amd64 linkmode: dynamic logDriver: journald memFree: 66723840 memTotal: 1007693824 networkBackend: netavark ociRuntime: name: crun package: crun_1.8.1-1+b1_amd64 path: /usr/bin/crun version: |- crun version 1.8.1 commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns_1.2.0-1_amd64 version: |- slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.4 swapFree: 959180800 swapTotal: 960491520 uptime: 0h 23m 1.00s plugins: authorization: null log:
  • k8s-file
  • none
  • passthrough
  • journald network:
  • bridge
  • macvlan volume:
  • local registries: {} store: configFile: /srv/pihole/.config/containers/storage.conf containerStore: number: 1 paused: 0 running: 1 stopped: 0 graphDriverName: vfs graphOptions: {} graphRoot: /srv/pihole/.local/share/containers/storage graphRootAllocated: 11099406336 graphRootUsed: 5848473600 graphStatus: {} imageCopyTmpDir: /var/tmp imageStore: number: 1 runRoot: /run/user/1000/containers volumePath: /srv/pihole/.local/share/containers/storage/volumes version: APIVersion: 4.3.1 Built: 0 BuiltTime: Wed Dec 31 21:00:00 1969 GitCommit: "" GoVersion: go1.19.8 Os: linux OsArch: linux/amd64 Version: 4.3.1