diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index e8fbf5ca..8ec52bb6 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -137,6 +137,14 @@ jobs: run: | docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns --detach-netns + - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit)" + run: | + docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ + rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta + - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit) with detach-netns" + run: | + docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ + rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta --detach-netns - name: "Benchmark: UDP Ports (port driver=builtin)" run: | docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ @@ -145,7 +153,7 @@ jobs: run: | docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin --detach-netns -# pasta+builtin does not work with UDP yet + test-integration-docker: name: "Integration test (Docker)" runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index 6ccdf617..7458dda6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG UBUNTU_VERSION=22.04 ARG SHADOW_VERSION=4.13 ARG SLIRP4NETNS_VERSION=v1.2.0 ARG VPNKIT_VERSION=0.5.0 -ARG PASST_VERSION=2023_06_27.289301b +ARG PASST_VERSION=2023_12_04.b86afe3 ARG DOCKER_VERSION=24.0.2 ARG DOCKER_CHANNEL=stable diff --git a/cmd/rootlesskit/main.go b/cmd/rootlesskit/main.go index bb71aa58..e508101e 100644 --- a/cmd/rootlesskit/main.go +++ b/cmd/rootlesskit/main.go @@ -389,7 +389,7 @@ func createParentOpt(clicontext *cli.Context, pipeFDEnvKey, stateDirEnvKey, pare return opt, errors.New("ifname cannot be specified for --net=host") } case "pasta": - logrus.Warn("\"pasta\" network driver is experimental. Needs very recent version of pasta (see docs/network.md). No support for forwarding UDP ports (yet).") + logrus.Warn("\"pasta\" network driver is experimental. Needs very recent version of pasta (see docs/network.md).") binary := clicontext.String("pasta-binary") if _, err := exec.LookPath(binary); err != nil { return opt, err diff --git a/docs/network.md b/docs/network.md index 616ffcc2..8ed07260 100644 --- a/docs/network.md +++ b/docs/network.md @@ -146,6 +146,7 @@ If `--disable-host-loopback` is not specified, ports listening on 127.0.0.1 in t > **Note** > `--net=pasta` needs [pasta (passt)](https://passt.top/passt/) `2023_06_25.32660ce` or later. +> Using `2023_12_04.b86afe3` or later is highly recommended. > > Depending on the version of pasta and the host operating system, > running `sudo apparmor_parser -R /etc/apparmor.d/usr.bin.passt` might be needed too. @@ -157,7 +158,7 @@ Pros: * TCP port forwarding (`--port-driver=implicit`) can retain source IP addresses Cons: -* UDP port forwarding is not supported yet +* Lacks API for explicit port forwarding (`rootlessctl (list-ports|add-ports|remove-ports)`) The network configuration for pasta is similar to slirp4netns. As in `--net=slirp4netns`, specifying `--copy-up=/etc` and `--disable-host-loopback` is highly recommended. diff --git a/pkg/network/pasta/pasta.go b/pkg/network/pasta/pasta.go index e5d7291a..c68186b4 100644 --- a/pkg/network/pasta/pasta.go +++ b/pkg/network/pasta/pasta.go @@ -131,7 +131,6 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir, detachedNetNSPat if d.implicitPortForwarding { opts = append(opts, "--tcp-ports=auto", "--udp-ports=auto") - // TCP ports are periodically watched, but UDP ports are not. } else { opts = append(opts, "--tcp-ports=none", "--udp-ports=none") @@ -159,6 +158,7 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir, detachedNetNSPat logrus.Debugf("killed pasta: %v", wErr) return nil }) + logrus.Debugf("Executing %v", cmd.Args) if err := cmd.Start(); err != nil { return nil, common.Seq(cleanups), fmt.Errorf("executing %v: %w", cmd, err) }