Bug#989899: marked as done (unblock: libpod/3.0.1+dfsg1-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 15 Jun 2021 22:21:52 +0200
with message-id <YMkL4ERWjAHQ9kuC@ramacher.at>
and subject line Re: Bug#989899: unblock: libpod/3.0.1+dfsg1-3
has caused the Debian Bug report #989899,
regarding unblock: libpod/3.0.1+dfsg1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989899
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libpod/3.0.1+dfsg1-3
• From: Reinhard Tartler <siretart@debian.org>
• Date: Tue, 15 Jun 2021 10:17:08 -0400
• Message-id: <[🔎] 162376662873.1719189.18304371507472019660.reportbug@x1.int.tauware.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-go@lists.debian.org, siretart@debian.org

Please unblock package libpod/3.0.1+dfsg1-3

[ Reason ]

When using rootless podman, a major feature compared to docker.io,
non-trivial network configurations exhibit network connectivity
issues that manifest in 'Recv failure: Connection reset by peer' errors

This was reported and tracked in #989803, and upstream at
https://github.com/containers/podman/issues/9532

A minimal test-case for this issue is discussed at
https://stackoverflow.com/questions/67049585/how-to-publish-ports-in-user-defined-network-in-rootless-podman

I've identified the patch that was backported to podman 3.0 and 3.1, and
included it as a distribution patch.

[ Impact ]

Podman has two major modes of operation: running with root priviledges
(rootful, similar to docker), and rootless. This patch does not affect rootful
podman, but is limited to rootless podman where it has to setup appropriate
network namespaces and networking using slirp4netns.

[ Tests ]

Alexander Reichle-Schmehl was so good to manually build the package from source
and confirms that the issue is fixed,
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989803#20

[ Risks ]

This is a leaf package, and therefore is very unlikely to affect other
packages. The patch is minimal, focus, and well-understood upstream.

For your reviewing convenience, you might find it easier to review the quilt
patch at https://salsa.debian.org/debian/libpod/-/blob/master/debian/patches/networking-lookup-child-IP-in-networks.patch

Thank you for considering


unblock libpod/3.0.1+dfsg1-3


Full debdiff below:

siretart@x1:/srv/scratch/packages/containers/libpod$ git diff debian/3.0.1+dfsg1-2
diff --git a/debian/changelog b/debian/changelog
index 7ec3e362d..88f7f1480 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpod (3.0.1+dfsg1-3) unstable; urgency=medium
+
+  * Add networking-lookup-child-IP-in-networks.patch, fixes rootless
+    connection issue "Connection reset by peer", Closes: #989803
+
+ -- Reinhard Tartler <siretart@tauware.de>  Sun, 13 Jun 2021 18:28:49 -0400
+
 libpod (3.0.1+dfsg1-2) unstable; urgency=medium

   * Prefer crun over runc, Closes: #985379
diff --git a/debian/patches/networking-lookup-child-IP-in-networks.patch b/debian/patches/networking-lookup-child-IP-in-networks.patch
new file mode 100644
index 000000000..d1444c0e6
--- /dev/null
+++ b/debian/patches/networking-lookup-child-IP-in-networks.patch
@@ -0,0 +1,83 @@
+commit 0ba1942f261158b9526310aac7ee5f183a109440
+Author: Giuseppe Scrivano <gscrivan@redhat.com>
+Date:   Fri Jan 22 13:54:24 2021 +0100
+
+    networking: lookup child IP in networks
+
+    if a CNI network is added to the container, use the IP address in that
+    network instead of hard-coding the slirp4netns default.
+
+    commit 5e65f0ba30f3fca73f8c207825632afef08378c1 introduced this
+    regression.
+
+    Closes: https://github.com/containers/podman/issues/9065
+
+    Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+
+--- a/libpod/networking_linux.go
++++ b/libpod/networking_linux.go
+@@ -559,13 +559,25 @@
+ 		}
+ 	}
+
++	childIP := slirp4netnsIP
++outer:
++	for _, r := range ctr.state.NetworkStatus {
++		for _, i := range r.IPs {
++			ipv4 := i.Address.IP.To4()
++			if ipv4 != nil {
++				childIP = ipv4.String()
++				break outer
++			}
++		}
++	}
++
+ 	cfg := rootlessport.Config{
+ 		Mappings:  ctr.config.PortMappings,
+ 		NetNSPath: netnsPath,
+ 		ExitFD:    3,
+ 		ReadyFD:   4,
+ 		TmpDir:    ctr.runtime.config.Engine.TmpDir,
+-		ChildIP:   slirp4netnsIP,
++		ChildIP:   childIP,
+ 	}
+ 	cfgJSON, err := json.Marshal(cfg)
+ 	if err != nil {
+--- a/test/system/500-networking.bats
++++ b/test/system/500-networking.bats
+@@ -98,6 +98,7 @@
+ # "network create" now works rootless, with the help of a special container
+ @test "podman network create" {
+     skip_if_remote "FIXME: pending #7808"
++    myport=54322
+
+     local mynetname=testnet-$(random_string 10)
+     local mysubnet=$(random_rfc1918_subnet)
+@@ -115,6 +116,27 @@
+     is "$output" ".* inet ${mysubnet}\.2/24 brd ${mysubnet}\.255 " \
+        "sdfsdf"
+
++    run_podman run --rm -d --network $mynetname -p 127.0.0.1:$myport:$myport \
++               $IMAGE nc -l -n -v -p $myport
++    cid="$output"
++
++    # emit random string, and check it
++    teststring=$(random_string 30)
++    echo "$teststring" | nc 127.0.0.1 $myport
++
++    run_podman logs $cid
++    # Sigh. We can't check line-by-line, because 'nc' output order is
++    # unreliable. We usually get the 'connect to' line before the random
++    # string, but sometimes we get it after. So, just do substring checks.
++    is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
++
++    # This is the truly important check: make sure the remote IP is
++    # in the 172.X range, not 127.X.
++    is "$output" \
++       ".*connect to \[::ffff:172\..*\]:$myport from \[::ffff:172\..*\]:.*" \
++       "nc -v shows remote IP address in 172.X space (not 127.0.0.1)"
++    is "$output" ".*${teststring}.*" "test string received on container"
++
+     # Cannot create network with the same name
+     run_podman 125 network create $mynetname
+     is "$output" "Error: the network name $mynetname is already used" \
diff --git a/debian/patches/series b/debian/patches/series
index 6659bf1eb..d1470bd5c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 test--skip-TestPostDeleteHooks.patch
 rm-containers-mounts-5.patch
 systemd-tweaks.patch
+networking-lookup-child-IP-in-networks.patch

--- End Message ---

--- Begin Message ---

• To: Reinhard Tartler <siretart@debian.org>, 989899-done@bugs.debian.org
• Subject: Re: Bug#989899: unblock: libpod/3.0.1+dfsg1-3
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Tue, 15 Jun 2021 22:21:52 +0200
• Message-id: <YMkL4ERWjAHQ9kuC@ramacher.at>
• In-reply-to: <[🔎] 162376662873.1719189.18304371507472019660.reportbug@x1.int.tauware.de>
• References: <[🔎] 162376662873.1719189.18304371507472019660.reportbug@x1.int.tauware.de>

On 2021-06-15 10:17:08 -0400, Reinhard Tartler wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: debian-go@lists.debian.org, siretart@debian.org
> 
> Please unblock package libpod/3.0.1+dfsg1-3
> 
> [ Reason ]
> 
> When using rootless podman, a major feature compared to docker.io,
> non-trivial network configurations exhibit network connectivity
> issues that manifest in 'Recv failure: Connection reset by peer' errors
> 
> This was reported and tracked in #989803, and upstream at
> https://github.com/containers/podman/issues/9532
> 
> A minimal test-case for this issue is discussed at
> https://stackoverflow.com/questions/67049585/how-to-publish-ports-in-user-defined-network-in-rootless-podman
> 
> I've identified the patch that was backported to podman 3.0 and 3.1, and
> included it as a distribution patch.
> 
> [ Impact ]
> 
> Podman has two major modes of operation: running with root priviledges
> (rootful, similar to docker), and rootless. This patch does not affect rootful
> podman, but is limited to rootless podman where it has to setup appropriate
> network namespaces and networking using slirp4netns.
> 
> [ Tests ]
> 
> Alexander Reichle-Schmehl was so good to manually build the package from source
> and confirms that the issue is fixed,
> cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989803#20
> 
> [ Risks ]
> 
> This is a leaf package, and therefore is very unlikely to affect other
> packages. The patch is minimal, focus, and well-understood upstream.
> 
> For your reviewing convenience, you might find it easier to review the quilt
> patch at https://salsa.debian.org/debian/libpod/-/blob/master/debian/patches/networking-lookup-child-IP-in-networks.patch
> 
> Thank you for considering
> 
> 
> unblock libpod/3.0.1+dfsg1-3

libpod has successful autopkgtests and will be able to migrate on its
own before the hard freeze starts. In case that doesn't happen, please
reopen the bug report.

Cheers

> 
> 
> Full debdiff below:
> 
> siretart@x1:/srv/scratch/packages/containers/libpod$ git diff debian/3.0.1+dfsg1-2
> diff --git a/debian/changelog b/debian/changelog
> index 7ec3e362d..88f7f1480 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +libpod (3.0.1+dfsg1-3) unstable; urgency=medium
> +
> +  * Add networking-lookup-child-IP-in-networks.patch, fixes rootless
> +    connection issue "Connection reset by peer", Closes: #989803
> +
> + -- Reinhard Tartler <siretart@tauware.de>  Sun, 13 Jun 2021 18:28:49 -0400
> +
>  libpod (3.0.1+dfsg1-2) unstable; urgency=medium
> 
>    * Prefer crun over runc, Closes: #985379
> diff --git a/debian/patches/networking-lookup-child-IP-in-networks.patch b/debian/patches/networking-lookup-child-IP-in-networks.patch
> new file mode 100644
> index 000000000..d1444c0e6
> --- /dev/null
> +++ b/debian/patches/networking-lookup-child-IP-in-networks.patch
> @@ -0,0 +1,83 @@
> +commit 0ba1942f261158b9526310aac7ee5f183a109440
> +Author: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date:   Fri Jan 22 13:54:24 2021 +0100
> +
> +    networking: lookup child IP in networks
> +
> +    if a CNI network is added to the container, use the IP address in that
> +    network instead of hard-coding the slirp4netns default.
> +
> +    commit 5e65f0ba30f3fca73f8c207825632afef08378c1 introduced this
> +    regression.
> +
> +    Closes: https://github.com/containers/podman/issues/9065
> +
> +    Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
> +
> +--- a/libpod/networking_linux.go
> ++++ b/libpod/networking_linux.go
> +@@ -559,13 +559,25 @@
> + 		}
> + 	}
> +
> ++	childIP := slirp4netnsIP
> ++outer:
> ++	for _, r := range ctr.state.NetworkStatus {
> ++		for _, i := range r.IPs {
> ++			ipv4 := i.Address.IP.To4()
> ++			if ipv4 != nil {
> ++				childIP = ipv4.String()
> ++				break outer
> ++			}
> ++		}
> ++	}
> ++
> + 	cfg := rootlessport.Config{
> + 		Mappings:  ctr.config.PortMappings,
> + 		NetNSPath: netnsPath,
> + 		ExitFD:    3,
> + 		ReadyFD:   4,
> + 		TmpDir:    ctr.runtime.config.Engine.TmpDir,
> +-		ChildIP:   slirp4netnsIP,
> ++		ChildIP:   childIP,
> + 	}
> + 	cfgJSON, err := json.Marshal(cfg)
> + 	if err != nil {
> +--- a/test/system/500-networking.bats
> ++++ b/test/system/500-networking.bats
> +@@ -98,6 +98,7 @@
> + # "network create" now works rootless, with the help of a special container
> + @test "podman network create" {
> +     skip_if_remote "FIXME: pending #7808"
> ++    myport=54322
> +
> +     local mynetname=testnet-$(random_string 10)
> +     local mysubnet=$(random_rfc1918_subnet)
> +@@ -115,6 +116,27 @@
> +     is "$output" ".* inet ${mysubnet}\.2/24 brd ${mysubnet}\.255 " \
> +        "sdfsdf"
> +
> ++    run_podman run --rm -d --network $mynetname -p 127.0.0.1:$myport:$myport \
> ++               $IMAGE nc -l -n -v -p $myport
> ++    cid="$output"
> ++
> ++    # emit random string, and check it
> ++    teststring=$(random_string 30)
> ++    echo "$teststring" | nc 127.0.0.1 $myport
> ++
> ++    run_podman logs $cid
> ++    # Sigh. We can't check line-by-line, because 'nc' output order is
> ++    # unreliable. We usually get the 'connect to' line before the random
> ++    # string, but sometimes we get it after. So, just do substring checks.
> ++    is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
> ++
> ++    # This is the truly important check: make sure the remote IP is
> ++    # in the 172.X range, not 127.X.
> ++    is "$output" \
> ++       ".*connect to \[::ffff:172\..*\]:$myport from \[::ffff:172\..*\]:.*" \
> ++       "nc -v shows remote IP address in 172.X space (not 127.0.0.1)"
> ++    is "$output" ".*${teststring}.*" "test string received on container"
> ++
> +     # Cannot create network with the same name
> +     run_podman 125 network create $mynetname
> +     is "$output" "Error: the network name $mynetname is already used" \
> diff --git a/debian/patches/series b/debian/patches/series
> index 6659bf1eb..d1470bd5c 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,3 +1,4 @@
>  test--skip-TestPostDeleteHooks.patch
>  rm-containers-mounts-5.patch
>  systemd-tweaks.patch
> +networking-lookup-child-IP-in-networks.patch
> 

-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

--- End Message ---