Rootless Docker with slirp4netns show a docker IP instead of a client IP

[Georgekonsec]

Description

Actually there is a similar closed issue 45096 which has been moved to a discussion due to that reason.

We are thinking that this is not related to Traefik specific issue because the problem exists if you run haproxy, httpd or nginx applications and it is related how you run the docker container.

Reproduce

It works if you run the following docker container:

docker run --rm -d --name without_ip -p 7000:80 httpd
docker logs -f without_ip

# Then curl the server to that port
curl <hostname>:7000

but it returns docker internal IP, if you run the same docker container with a Server IP:

docker run --rm -d --name with_ip -p <server_ip>:7001:80 httpd
docker logs -f with_ip

# Then curl the server to that port
curl <hostname>:7001

Expected behavior

Rootless Docker with slirp4netns to show client IP's instead of Docker internal IP's.

We would like to be able to expose an application to a specific Server ip and not to all of them (0.0.0.0).

docker version

Client: Docker Engine - Community
 Version:           24.0.2
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        cb74dfc
 Built:             Thu May 25 21:53:24 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:51:50 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
 rootlesskit:
  Version:          1.1.0
  ApiVersion:       1.1.1
  NetworkDriver:    slirp4netns
  PortDriver:       slirp4netns
  StateDir:         /tmp/rootlesskit18755427
 slirp4netns:
  Version:          1.2.0
  GitCommit:        656041d45cfca7a4176f6b7eed9e4fe6c11e8383

docker info

Client: Docker Engine - Community
 Version:    24.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.5
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.18.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 24.0.2
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: syslog
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
 runc version: v1.1.7-0-g860f061
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 5.14.0-162.23.1.el9_1.x86_64
 Operating System: AlmaLinux 9.2 (Turquoise Kodkod)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.751GiB
 Name: linctron.mkinet.net
 ID: LO3O:SAAZ:A4FE:K57B:6YAY:TOUC:S6ST:VYE6:R3BS:VKX6:WJWA:TKDG
 Docker Root Dir: /var/local/docker/ingress/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support

Additional Info

After checking slirp4netns there is an option (--outbound-addr) to define preferred outbound ipv4/ipv6 addresses or interface names.
Could we provide an environment variable for dockerd-rootless.sh script like DOCKERD_ROOTLESS_ROOTLESSKIT_OUTBOUND_ADDR so to be able to define an ip address/network interface ?

Could we use/check pasta network driver because it handles differently the network interfaces and this probably fixes the exact problem with the Docker Internal IP instead of the client IP.

[polarathene]

Mostly same docker info and docker version output, except on a Ubuntu 23.04 host via Vultr.

I reproduced that within the same host, as for some reason I can't seem to reach the host externally (doesn't seem like any iptables rules were applied? But public interfaces are binded to, network namespace prevents access to direct container IP). I'm not sure if rootless containers are meant to be accessible from the internet when publishing ports, no firewall was active and the rootless docs don't seem to indicate otherwise.

---

Just chiming in that without binding the port to a specific interface, you'll usually get the client IP as the requested interface, except for localhost / 127.0.0.1, which is the slirp4netns gateway (10.0.2.2).

I noticed connectivity seems to rely on the rootless daemon using userland-proxy: true, which tends to be cause for the client IP becoming a docker network gateway IP instead. If there is iptables rules somewhere, it can probably be resolved as I have documented for the rootful daemon. This might be related to the docker gateway IP when you bind to a specific interface.

---

After checking slirp4netns there is an option (--outbound-addr) to define preferred outbound ipv4/ipv6 addresses or interface names.

Isn't that for outgoing connections? I don't think that would make a difference to this issue.