Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include exposed ports in inspect output when net=host #24090

Merged
merged 1 commit into from
Sep 27, 2024

Conversation

mheon
Copy link
Member

@mheon mheon commented Sep 27, 2024

Previously, we didn't bother including exposed ports in the container config when creating a container with --net=host. Per Docker this isn't really correct; host-net containers are still considered to have exposed ports, even though that specific container can be guaranteed to never use them.

The change itself is quite simple. Introduce a simpler way to get exposed ports into the Libpod config (previously only possible via the overarching netns setup function) and use it when making a net=host container. Testing is similarly straightforward.

Fixes https://issues.redhat.com/browse/RHEL-60382

Does this PR introduce a user-facing change?

Fixed a bug where Podman did not include exposed ports from containers created with `--net=host` in the output of `podman inspect`.

@openshift-ci openshift-ci bot added release-note approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 27, 2024
Comment on lines 302 to 307
case specgen.Host:
_, expose, err := createPortMappings(s, imageData)
if err != nil {
return nil, err
}
toReturn = append(toReturn, libpod.WithExposedPorts(expose))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like this, what makes host special compared to container/pod? I would assume docker treats all the same?

Logically it seems it would be much cleaner to pass the ports outside of this switch for all net modes and then remove the expose ports from WithNetNS() to simply there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok it seems to be inconsistent on the docker side as well

docker run --network container:c1 --name c2 --expose 80/tcp  -d alpine sleep 1000
docker: Error response from daemon: conflicting options: port exposing and the container type network mode.
See 'docker run --help'.
[root@fedora ~]# docker run --network host --name c2 --expose 80/tcp  -d alpine sleep 1000
cfec8194400a44235ef707f7ee838a89c973fed6a20e94528ee12d3793a99f62

However at the same time using an image that contains exposed ports is allowed

# docker run --network container:c1 --name c2   -d nginx sleep 1000

# docker inspect --format "{{json .Config.ExposedPorts}}"  c2
{"80/tcp":{}}

So overall I think we should allow the exposed ports for all network modes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

Comment on lines 458 to 460
rm := podmanTest.Podman("rm", "-t", "0", "--force", containerName)
rm.WaitWithDefaultTimeout()
Expect(rm).Should(ExitCleanly())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems unnecessary as we always do cleanup in e2e.

Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

openshift-ci bot commented Sep 27, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Previously, we didn't bother including exposed ports in the
container config when creating a container with --net=host. Per
Docker this isn't really correct; host-net containers are still
considered to have exposed ports, even though that specific
container can be guaranteed to never use them.

We could just fix this for host container, but we might as well
make it generic. This patch unconditionally adds exposed ports to
the container config - it was previously conditional on a network
namespace being configured. The behavior of `podman inspect` with
exposed ports when using `--net=container:` has also been
corrected. Previously, we used exposed ports from the container
sharing its network namespace, which was not correct. Now, we use
regular port bindings from the namespace container, but exposed
ports from our own container.

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
@rhatdan
Copy link
Member

rhatdan commented Sep 27, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 27, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit e1496c9 into containers:main Sep 27, 2024
74 checks passed
mheon added a commit to mheon/libpod that referenced this pull request Oct 4, 2024
Undoing some of my own work here from containers#24090 now that we have the
ExposedPorts field implemented in inspect. I considered a revert
of that patch, but it's still needed as without it we'd be
including exposed ports when --net=container which is not
correct.

Basically, exposed ports for a container should always go in the
new ExposedPorts field we added. They sometimes go in the Ports
field in NetworkSettings, but only when the container is not
net=host and not net=container. We were always including exposed
ports, which was not correct, but is an easy logical fix.

Also required is a test change to correct the expected behavior
as we were testing for incorrect behavior.

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
TomSweeneyRedHat pushed a commit to TomSweeneyRedHat/podman that referenced this pull request Oct 22, 2024
Undoing some of my own work here from containers#24090 now that we have the
ExposedPorts field implemented in inspect. I considered a revert
of that patch, but it's still needed as without it we'd be
including exposed ports when --net=container which is not
correct.

Basically, exposed ports for a container should always go in the
new ExposedPorts field we added. They sometimes go in the Ports
field in NetworkSettings, but only when the container is not
net=host and not net=container. We were always including exposed
ports, which was not correct, but is an easy logical fix.

Also required is a test change to correct the expected behavior
as we were testing for incorrect behavior.

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
(cherry picked from commit 8061553)
Signed-off-by: tomsweeneyredhat <[email protected]>
Luap99 pushed a commit to TomSweeneyRedHat/podman that referenced this pull request Oct 25, 2024
Undoing some of my own work here from containers#24090 now that we have the
ExposedPorts field implemented in inspect. I considered a revert
of that patch, but it's still needed as without it we'd be
including exposed ports when --net=container which is not
correct.

Basically, exposed ports for a container should always go in the
new ExposedPorts field we added. They sometimes go in the Ports
field in NetworkSettings, but only when the container is not
net=host and not net=container. We were always including exposed
ports, which was not correct, but is an easy logical fix.

Also required is a test change to correct the expected behavior
as we were testing for incorrect behavior.

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
(cherry picked from commit 8061553)
Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat pushed a commit to TomSweeneyRedHat/podman that referenced this pull request Oct 28, 2024
Undoing some of my own work here from containers#24090 now that we have the
ExposedPorts field implemented in inspect. I considered a revert
of that patch, but it's still needed as without it we'd be
including exposed ports when --net=container which is not
correct.

Basically, exposed ports for a container should always go in the
new ExposedPorts field we added. They sometimes go in the Ports
field in NetworkSettings, but only when the container is not
net=host and not net=container. We were always including exposed
ports, which was not correct, but is an easy logical fix.

Also required is a test change to correct the expected behavior
as we were testing for incorrect behavior.

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
(cherry picked from commit 8061553)
Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat added a commit to TomSweeneyRedHat/podman that referenced this pull request Oct 28, 2024
This fixes an exposed ports issue in RHEL 4.9-rhel for RHEL 9.5.

This includes the fixes from the following PRs:

First PR: containers#24090
Second PR: containers#24110
Third PR: containers#24164

With an additional tweak from @Luap99 in containers#24333
regarding the looping in libpod/container_inspect.go.

This changes is needed in the 5.2-rhel branch to assure successful
upgrades as the same patches have been used for the following issues
in the Podman v4.9-rhel branch

Fixes: https://issues.redhat.com/browse/ACCELFIX-299
Fixes: https://issues.redhat.com/browse/ACCELFIX-300

Signed-off-by: tomsweeneyredhat <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants