CI: update pasta (2023_11_19.4f1709d)

This version added the support for automatic UDP forwarding. https://passt.top/passt/commit/?h=2023_11_19.4f1709d&id=457ff122e33cf6a6e559b073f41c530e42d9c597 Fix issue 383 Signed-off-by: Akihiro Suda <[email protected]>
rootless-containers · Nov 21, 2023 · 49f643f · 49f643f
1 parent dbe8643
commit 49f643f
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -137,6 +137,14 @@ jobs:
       run: |
           docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
           rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns --detach-netns
+    - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit)"
+      run: |
+          docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
+          rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta
+    - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit) with detach-netns"
+      run: |
+          docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
+          rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta --detach-netns
     - name: "Benchmark: UDP Ports (port driver=builtin)"
       run: |
           docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
@@ -145,7 +153,7 @@ jobs:
       run: |
           docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \
           rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin --detach-netns
-# pasta+builtin does not work with UDP yet
+
   test-integration-docker:
     name: "Integration test (Docker)"
     runs-on: ubuntu-latest

diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ ARG UBUNTU_VERSION=22.04
 ARG SHADOW_VERSION=4.13
 ARG SLIRP4NETNS_VERSION=v1.2.0
 ARG VPNKIT_VERSION=0.5.0
-ARG PASST_VERSION=2023_06_27.289301b
+ARG PASST_VERSION=2023_11_19.4f1709d
 ARG DOCKER_VERSION=24.0.2
 ARG DOCKER_CHANNEL=stable
 
@@ -53,6 +53,15 @@ RUN git clone https://passt.top/passt
 WORKDIR /passt
 ARG PASST_VERSION
 RUN git pull && git checkout $PASST_VERSION
+# <TMP>
+# [PATCH] port_fwd, util: Don't bind UDP ports with opposite-side bound TCP ports
+# https://archives.passt.top/passt-dev/[email protected]/
+ADD https://archives.passt.top/passt-dev/[email protected]/t.mbox.gz .
+RUN gunzip t.mbox.gz && \
+  git config --global user.email "dummy@localhost" && \
+  git config --global user.name "Dummy user" && \
+  git am t.mbox
+# </TMP>
 RUN make && make install
 
 FROM ubuntu:${UBUNTU_VERSION} AS test-integration

diff --git a/cmd/rootlesskit/main.go b/cmd/rootlesskit/main.go
@@ -389,7 +389,7 @@ func createParentOpt(clicontext *cli.Context, pipeFDEnvKey, stateDirEnvKey, pare
 			return opt, errors.New("ifname cannot be specified for --net=host")
 		}
 	case "pasta":
-		logrus.Warn("\"pasta\" network driver is experimental. Needs very recent version of pasta (see docs/network.md). No support for forwarding UDP ports (yet).")
+		logrus.Warn("\"pasta\" network driver is experimental. Needs very recent version of pasta (see docs/network.md).")
 		binary := clicontext.String("pasta-binary")
 		if _, err := exec.LookPath(binary); err != nil {
 			return opt, err

diff --git a/docs/network.md b/docs/network.md
@@ -146,6 +146,7 @@ If `--disable-host-loopback` is not specified, ports listening on 127.0.0.1 in t
 
 > **Note**
 > `--net=pasta` needs [pasta (passt)](https://passt.top/passt/) `2023_06_25.32660ce` or later.
+> Using `2023_11_19.4f1709d` or later is highly recommended.
 >
 > Depending on the version of pasta and the host operating system,
 > running `sudo apparmor_parser -R /etc/apparmor.d/usr.bin.passt` might be needed too.
@@ -157,7 +158,7 @@ Pros:
 * TCP port forwarding (`--port-driver=implicit`) can retain source IP addresses
 
 Cons:
-* UDP port forwarding is not supported yet
+* Lacks API for explicit port forwarding (`rootlessctl (list-ports|add-ports|remove-ports)`)
 
 The network configuration for pasta is similar to slirp4netns.
 As in `--net=slirp4netns`, specifying `--copy-up=/etc` and `--disable-host-loopback` is highly recommended.

diff --git a/pkg/network/pasta/pasta.go b/pkg/network/pasta/pasta.go
@@ -131,7 +131,6 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir, detachedNetNSPat
 	if d.implicitPortForwarding {
 		opts = append(opts, "--tcp-ports=auto",
 			"--udp-ports=auto")
-		// TCP ports are periodically watched, but UDP ports are not.
 	} else {
 		opts = append(opts, "--tcp-ports=none",
 			"--udp-ports=none")