Improved bypass4netns implementation #39
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks, but why was UDP removed? |
New bypass4netns does not implement them yet for simplification of implementation. |
AkihiroSuda
reviewed
Jan 10, 2024
.github/workflows/test.yaml
Outdated
| - name: setup lxd (v5.19) | ||
| id: s1 | ||
| if: steps.cache-restore.outputs.cache-hit != 'true' | ||
| run: ./setup_lxd.sh |
There was a problem hiding this comment.
Can we move these scripts into a subdirectory?
There was a problem hiding this comment.
fixed in 4b874fe
AkihiroSuda
reviewed
Jan 10, 2024
.github/workflows/test.yaml
Outdated
| path: /tmp/test-image.tar.zst | ||
| lookup-only: true | ||
|
|
||
| - name: setup lxd (v5.19) |
There was a problem hiding this comment.
"v5.19" should be removed, as setup_lxd.sh does not pin the LXD version
There was a problem hiding this comment.
fixed in 4b874fe
Signed-off-by: Naoki MATSUMOTO <[email protected]>
apt(8) configures sockets to be non-blocking via fcntl. This patch records fcntl's F_SETFD, F_SETFL and applies them on created sockets. Signed-off-by: Naoki MATSUMOTO <[email protected]>
Re-constructed entire data format. Currently, only SOCK_STREAM socket is handled. Signed-off-by: Naoki MATSUMOTO <[email protected]>
When the listening socket is bypassed, processes in a container cannot connect to the socket with inner port. This patch handles connection to published port and rewrite destination address. TODO: return dummy destination address when getpeername(2) called. Assuming the below situation. When port 5021 is published as port 5202 (`-p 5202:5201`), other processes in the container try to connect to 127.0.0.1:5201 or interface's address (e.g. 10.4.0.38:5201). bypass4netns handles such connection and rewrite the destination address to 127.0.0.1:5202 or ::1:5202 Signed-off-by: Naoki MATSUMOTO <[email protected]>
Normally, inter-container connections are handled by slirp4netns. When the listening socket is bypassed, other containers cannot connect to the socket. This patch handles such connections and rewrite destination address. TODO: care CNI-plugin's filter Signed-off-by: Naoki MATSUMOTO <[email protected]>
bypass4netns bypasses sockets connecting to bypassed socket. But this may break ACL or iptables config in intermediate NetNS. Tracer agent checks whether the container can connect to other container's port and only connectable connection is bypassed. TODO: use RAW_SOCKET not to establish TCP connections Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
This currently not utilized Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
TODO: allocate published port on host-side dynamically Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
pid can be thread's pid and open_pidfd() fails with the pid. When open_pidfd() fails, retry with the pid's tgid and replace the pid to the tgid. Signed-off-by: Naoki MATSUMOTO <[email protected]>
Some binaries (e.g. golang) close fd then create socket with same fd immediately. Seccomp notify sometimes drops first close and b4ns cannot bypass the socket. This is workaround for such inconsistent condition. Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Signed-off-by: Naoki MATSUMOTO <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this work, bypass4netns is entirely reimplemented and some new features added.
New features
--handle-c2c-connectionsoption)This enables containers to connect to bypassed (published) sockets.
--traceroption)This enables bypass4netns to take care of iptables or other ACLs in intermediate NetNS.
--mulitnodeoption)This enables multi-node communication without VXLAN. This feature is experimental and more work is required to apply in usernetes.
Tests for above features with existing applications including statically linked golang binary.
Removed features
Currently, this feature is not implemented yet.