[Traefik] Rootless Docker with slirp4netns doesn't show user IP #45337
Replies: 7 comments
-
In addition here is the slirp4netns launch options ps aux | grep slirp
virt 2675625 0.0 0.1 1311380 20948 ? Ssl 18:25 0:00 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=slirp4netns --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
virt 2675636 0.0 0.1 1163324 19712 ? Sl 18:25 0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=slirp4netns --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
virt 2675654 0.3 0.0 14216 4516 ? S 18:25 0:02 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --api-socket /tmp/rootlesskit3603596150/.s4nn.sock --enable-sandbox --enable-seccomp 2675636 tap0 Thank you ! |
Beta Was this translation helpful? Give feedback.
-
Mind If I take a look at this? |
Beta Was this translation helpful? Give feedback.
-
Please provide a full reproducer.
You don't need to ask for a permission 🙂 |
Beta Was this translation helpful? Give feedback.
-
When using docker run -p 8080:80 nginx, I can't reproduce my issue. I will provide you my full docker-compose ASAP. |
Beta Was this translation helpful? Give feedback.
-
Here is a dump of my traefik configuration. It was working well when using standard docker instead of rootless docker. version: '3.4'
services:
# External dependencies
traefik:
image: traefik:latest
container_name: traefik
restart: always
ports:
- "SERVER_IP:80:80"
- "SERVER_IP:443:443"
- "SERVER_IP:9080:8080"
volumes:
- "/data/cloud/traefik/:/etc/traefik/"
- "/run/user/1001/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.http.routers.traefik.rule=Host(`traefik.DOMAIN_NAME`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=myresolver"
- "traefik.http.routers.traefik.middlewares=sso@docker,https_headers@file"
networks:
- default
- traefik
whoami:
image: traefik/whoami
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.who.rule=Host(`who.DOMAIN_NAME`) || Host(`who.DOMAIN_NAME2`)"
- "traefik.http.routers.who.service=svc_who"
- "traefik.http.routers.who.tls=true"
- "traefik.http.routers.who.tls.certresolver=myresolver"
- "traefik.http.routers.who.middlewares=admin@file,https_headers@file"
- "traefik.http.services.svc_who.loadbalancer.server.port=80"
networks:
- default
- traefik
Traefik configuration
|
Beta Was this translation helpful? Give feedback.
-
Given that docker run works as expected, this seems to be a traefik specific issue. I will move to a discussion. |
Beta Was this translation helpful? Give feedback.
-
Actually this does not seem to be a traefik specific issue. The problem exists if you run haproxy, httpd or nginx applications and it is related how you run the docker container. It works if you run the following docker container:
but it returns docker internal IP, if you run the same docker container with a Server IP:
We would like to be able to expose an application to a specific Server ip and not to all of them (0.0.0.0). After checking slirp4netns there is an option (--outbound-addr) to define preferred outbound ipv4/ipv6 addresses or interface names. Could we use/check pasta network driver because it handles differently the network interfaces and this probably fixes the exact problem with the Docker Internal IP instead of the client IP. |
Beta Was this translation helpful? Give feedback.
-
Description
When using rootless docker with slip4netns an internal IP is shown instead of the real one.
Example:
Reproduce
Add
`[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
in ~/.config/systemd/user/docker.service.d/override.conf `
Reload the docker daemon and restart it.
Run two containers : traefik and traefik/whoami instance.
Expected behavior
X-Real-Ip: Should contain the real user IP instead of the IP of the docker network gateway.
docker version
Client: Docker Engine - Community Version: 23.0.1 API version: 1.42 Go version: go1.19.5 Git commit: a5ee5b1 Built: Thu Feb 9 19:46:54 2023 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 23.0.1 API version: 1.42 (minimum version 1.12) Go version: go1.19.5 Git commit: bc3805a Built: Thu Feb 9 19:46:54 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.18 GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0 rootlesskit: Version: 1.1.0 ApiVersion: 1.1.1 NetworkDriver: slirp4netns PortDriver: slirp4netns StateDir: /tmp/rootlesskit3603596150 slirp4netns: Version: 1.2.0 GitCommit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
docker info
Additional Info
No response
Beta Was this translation helpful? Give feedback.
All reactions