Scan /proc/net/{tcp,udp} for host network driver port bindings #7746
+290
−17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Nino-K
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Can you fix the spelling errors (by adding the words to the dictionary)? That should re-trigger the actions... |
Nino-K
force-pushed
the
procnet-scanning-guest-agent
branch
2 times, most recently
from
d621770
to
b2aa16f
Compare
This introduces a scanner that monitors entries in /proc/net/{tcp,udp}.
When using the host network driver (--net=host) in Docker or containerd,
some port bindings are not exposed through the API. However, these bindings
are still visible in /proc/net because the container shares the host network
namespace.
The procnet scanner scans the corresponding files every 3 seconds and if
a new entry is found or removed it calls the host switch API to expose
and unexpose accordingly.
Signed-off-by: Nino Kodabande <[email protected]>
Nino-K
force-pushed
the
procnet-scanning-guest-agent
branch
from
b2aa16f
to
348ef33
Compare
Signed-off-by: Nino Kodabande <[email protected]>
Added scanner_stub to accomodate for non-linux build Signed-off-by: Nino Kodabande <[email protected]>
Signed-off-by: Nino Kodabande <[email protected]>
When a container uses the host network driver (--network=host), it shares the host's network namespace. In this case, it's important to consider the IP address the container's process is bound to. For example: `nerdctl run --network=host -d python:slim python -m http.server 8020 --bind 127.0.0.1` vs `nerdctl run --network=host -d python:slim python -m http.server 8020` If the process is bound to 127.0.0.1 (localhost), we need to create additional iptables rules to allow access to the container’s bound port from outside the network namespace (e.g., localhost:8020). This change ensures that the appropriate iptables rules are created and removed when a container's port is bound to localhost, enabling external access to the bound port. Signed-off-by: Nino Kodabande <[email protected]>
Nino-K
force-pushed
the
procnet-scanning-guest-agent
branch
from
bc3af5b
to
a615fb7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces a scanner that monitors entries in
/proc/net/{tcp,udp}. When using the host network driver (--net=host) in Docker or containerd, some port bindings are not exposed through the API. However, these bindings are still visible in/proc/netbecause the container shares the host network namespace.The procnet scanner scans the corresponding files every 3 seconds and if a new entry is found or removed it calls the host switch API to expose and unexpose accordingly.
Fixes: #7378