Description
/kind bug
Description
For a rootless container the source IP of incoming packets on a publish port is always 127.0.0.1. Even if the request is made from an external host.
Steps to reproduce the issue:
- Start a NGINX container:
machine-1$ podman run -p 8888:80 docker.io/library/nginx:latest
- Make a request from another node.
machine-2$ curl http://machine-1:8888
- Look at the source ip of the request in NGINX stdout log:
127.0.0.1 - - [09/Feb/2020:21:54:17 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.66.0" "-"
Describe the results you received:
The logged source address is always 127.0.0.1
Describe the results you expected:
The logged source ip address to match the ip of the host the request was coming from.
Additional information you deem important (e.g. issue happens only occasionally):
In Podman 1.7 this worked as expected. And it's probably related to:
Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities
Output of podman version:
Version: 1.8.0
RemoteAPI Version: 1
Go Version: go1.13.6
OS/Arch: linux/amd64
Output of podman info --debug:
debug:
compiler: gc
git commit: ""
go version: go1.13.6
podman version: 1.8.0
host:
BuildahVersion: 1.13.1
CgroupVersion: v2
Conmon:
package: conmon-2.0.10-2.fc31.x86_64
path: /usr/libexec/crio/conmon
version: 'conmon version 2.0.10, commit: 6b526d9888abb86b9e7de7dfdeec0da98ad32ee0'
Distribution:
distribution: fedora
version: "31"
IDMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
MemFree: 239222784
MemTotal: 16487555072
OCIRuntime:
name: crun
package: crun-0.12.1-1.fc31.x86_64
path: /usr/bin/crun
version: |-
crun version 0.12.1
commit: df5f2b2369b3d9f36d175e1183b26e5cee55dd0a
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
SwapFree: 8187277312
SwapTotal: 8329883648
arch: amd64
cpus: 8
eventlogger: journald
hostname: prefect
kernel: 5.4.17-200.fc31.x86_64
os: linux
rootless: true
slirp4netns:
Executable: /usr/bin/slirp4netns
Package: slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64
Version: |-
slirp4netns version 0.4.0-beta.3+dev
commit: bbd6f25c70d5db2a1cd3bfb0416a8db99a75ed7e
uptime: 1h 17m 29.71s (Approximately 0.04 days)
registries:
search:
- docker.io
- registry.fedoraproject.org
- registry.access.redhat.com
- registry.centos.org
- quay.io
store:
ConfigFile: /home/bas/.config/containers/storage.conf
ContainerStore:
number: 22
GraphDriverName: overlay
GraphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-0.7.5-2.fc31.x86_64
Version: |-
fusermount3 version: 3.6.2
fuse-overlayfs: version 0.7.5
FUSE library version 3.6.2
using FUSE kernel interface version 7.29
GraphRoot: /var/home/bas/.local/share/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 232
RunRoot: /run/user/1000
VolumePath: /var/home/bas/.local/share/containers/storage/volumes
Package info (e.g. output of rpm -q podman or apt list podman):
podman-1.8.0-2.fc31.x86_64
Additional environment details (AWS, VirtualBox, physical, etc.):
Silverblue 31.20200209.0 (Workstation Edition)