-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connections to the port exposed via --publish are dropped and do not reach the contained process #22959
Comments
Note that before enabling IPv6 support, the result was the same. |
Does something like this:
work for you? |
First, changing ipv6_enabled to true doesn't do anything unless you actually add a ipv6 subnet to the config, compare a network created with Second, as rootless the default (podman) network isn't even used unless you specify
|
Also as root we do support forward via ::1 at all, see #14491 |
@sbrivio-rh Nope:
|
I don't really understand how public ips addresses are relevant here; I'm trying to connect to a container running on this same host; no networking is happening across [physical] hosts. |
Apparently my router was in some bogus state and had no public IPv6. I restarted it and now I have a public IPv6. The requirements is still a problem: sometimes I visit regions with no IPv6 connectivity, and I still want to run a container on my laptop and connect to it. Actually, sometimes I'm on a train with no public IPv6 or IPv4 at all. |
The configuration of the upstream interface is relevant because pasta, by default, tries to mimic as close as possible the host networking. By doing so, in the bigger picture, you can avoid NAT because the container inherits the addresses that are assigned to the upstream interface on the host. See also: #22771 (comment). Another advantage is that we don't have to hardcode any address or route (like slirp4netns would do), see also https://bugzilla.redhat.com/show_bug.cgi?id=2277954#c5. This is just the default: you can override the upstream interface with
Right, we realised just recently this isn't great for containers on trains or busses, see: #22737 (reply in thread) and following comments. I'm currently looking for a viable solution that doesn't break the whole model. The biggest problem I'm facing is that if we skip configuring addresses and routes because none were present on the host (for a given IP version), we risk making issues like #22197 worse: there, it's actually important that pasta refuses to wait until networking is ready (because, in that case, it will be ready, at some point). The proper solution for that issue would be in systemd (systemd/systemd#3312), but I'm not sure that will ever be addressed, so we can't plan on ignoring that, either. |
The address on the host can change during the lifetime of the container. If you want to avoid NAT and inherit the same IP on the container, then you're going to have to update the container's IP every time that the host IP changes. Perhaps it's feasible to assing non-routable IPv6 addresses (if those are the only available) and update the container with routable addresses when/if those are assigned on the host? In any case, using non-routable addresses would be better than using none, since currently the container is not reachable when using |
RIght, that was my idea to start with, but it comes with further complications, see #22737 (reply in thread).
That might be a good idea nevertheless, I'll need to check. Patches (tested, in this case ;)) are warmly welcome as well. |
A friendly reminder that this issue had no activity for 30 days. |
Sorry I am not following the conversation here, is there actually a specific work item tracked here in either pasta or podman or can this be closed? |
@Luap99 Yes, this is still an issue. To summarise, if the host doesn't have a publicly routable IPv6 address when a container is started, the container cannot be reached from the host (with the default configuration). |
Kind of, in the sense that loosening start-up checks and admitting IPv6 addresses that are not routable is one of the bits that could improve support for the use case described at #22737 (reply in thread), in the short term.
...via IPv6, that is. |
This is what Firefox, curl any most other clients try by default. Note that the host is reachable, but refuses the connection, so there is never any reason for clients to retry using IPv4. |
Ouch, I missed this detail. |
I don't understand this part. A connection will always get connection refused when connecting to a local port where nothing is listening. So why should this ever be reason to not retry for curl, firefox, etc...? And trying this locally I see curl and firefox trying ::1 first and then fall back to 127.0.0.1, so what am I missing here? |
I looked into this, but if we include link-local addresses in the set "non-routable" ones we might accept to use (if we don't, that won't fix your use case), it might very well mean that we'll assign, or not, a global unicast address to the guest depending on timing (see also #22197). Should systemd/systemd#3312 ever get fixed, that would be much less critical and I would go ahead with this kind of change, but as long as it's not, it risks causing bigger issues. So I'd rather implement a more comprehensive fix that involves monitoring host addresses and routes via netlink. We started reporting some ideas and concerns in section 2. of this pad. |
I'm not sure that systemd/systemd#3312 would help. I suppose that you intend to monitor Regardless, such a solution would only work on configurations using systemd; the issue would still need a separate portable solution for other distributions.
This sounds a lot more reliable. |
Issue Description
Exposing a port via
--publish
on a system with IPv6 doesn't work.The default network does not have IPv6 enabled by default, but I enabled it manually.
I edited
.local/share/containers/storage/networks/podman.json
to include"ipv6_enabled": true,
before starting the container to enable IPv6. Connections are now received by podman, but immediately dropped, and never reach the container.Steps to reproduce the issue
Steps to reproduce the issue
podman run --rm --publish 8001:8001 whynothugo/vdirsyncer-devkit-radicale
curl 'http://[::1]:8001'
Describe the results you received
Describe the results you expected
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
No response
Additional information
Attempting to use
localhost
instead of a specific IP fail too:I suppose that in some configurations
curl
might prefer IPv4 and it would work, but that's mostly luck.The text was updated successfully, but these errors were encountered: