Get rid of socat for port forwarding#1470
Conversation
|
Hi @aojea. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@aojea: GitHub didn't allow me to request PR reviews from the following users: howardjohn. Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
487af78 to
820c134
Compare
ea07c1b to
2175e78
Compare
|
in general looks good to me, i'd like to see if we can raise @Random-Liu to take a look. |
|
/ok-to-test |
|
changed my mind. Let's wrap up Mike's comments and get this in to iterate. (no need to wait for Lantao) |
|
sry each commit has to be signed :) |
mikebrow
left a comment
There was a problem hiding this comment.
looking great.. just a couple small comments on err value and debug output..
use goroutines to copy the data from the stream to the TCP connection, and viceversa, removing the socat dependency. Quoting Lantao Liu, the logic is as follow: When one side (either pod side or user side) of portforward is closed, we should stop port forwarding. When one side is closed, the io.Copy use that side as source will close, but the io.Copy use that side as dest won't. Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
We encountered two failing end-to-end tests after the adoption of containerd#1470 in cri-o/cri-o#3749: ``` Summarizing 2 Failures: [Fail] [sig-cli] Kubectl Port forwarding With a server listening on 0.0.0.0 that expects a client request [It] should support a client that connects, sends DATA, and disconnects test/e2e/kubectl/portforward.go:343 [Fail] [sig-cli] Kubectl Port forwarding With a server listening on localhost that expects a client request [It] should support a client that connects , sends DATA, and disconnects test/e2e/kubectl/portforward.go:343 ``` Increasing the timeout to 1s fixes the issue. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
| // TODO: hardcoded to tcp4 because localhost resolves to ::1 by default if the system has IPv6 enabled. | ||
| // Theoretically happy eyeballs will try IPv6 first and fallback to IPv4 | ||
| // but resolving localhost doesn't seem to return and IPv4 address, thus failing the connection. | ||
| conn, err := net.Dial("tcp4", fmt.Sprintf("localhost:%d", port)) |
There was a problem hiding this comment.
@aojea could we do something like this?
| conn, err := net.Dial("tcp4", fmt.Sprintf("localhost:%d", port)) | |
| conn, err := net.Dial("tcp4", fmt.Sprintf("%s:%d", s.IP, port)) |
There was a problem hiding this comment.
I was just keeping the old behaviour because of my ignorance on how the ports are exposed inside the namespace.
I can explain at the network level the problem and why I think is forcing IPv4 here.
localhost, depending on some factors, may resolve to [::1] or 127.0.0.1, Long history short, commonly it resolves to [::1] if you are more interested in the whole history I explain it in this link https://gist.github.com/aojea/94f6f483173641647c731f582e52f0b0
But typically, the applications use to listen only 127.0.0.1 inside the container 🤷 , that's the part I'm missing.
If we are able to identify correctly the address that the app is listening, then is better using it, so this works for both IPv4 and IPv6, but I prefer having @mikebrow guidance here.
There was a problem hiding this comment.
it's hardcoded localhost(or 127.0.0.1):random port for sec. reasons... or at least that's what the decision was way back when.
Any change here would likely need a kep that sets up streaming ip(s) and port(s) at the CRI request and/or response level.
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
We encountered two failing end-to-end tests after the adoption of containerd#1470 in cri-o/cri-o#3749: ``` Summarizing 2 Failures: [Fail] [sig-cli] Kubectl Port forwarding With a server listening on 0.0.0.0 that expects a client request [It] should support a client that connects, sends DATA, and disconnects test/e2e/kubectl/portforward.go:343 [Fail] [sig-cli] Kubectl Port forwarding With a server listening on localhost that expects a client request [It] should support a client that connects , sends DATA, and disconnects test/e2e/kubectl/portforward.go:343 ``` Increasing the timeout to 1s fixes the issue. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is the analogous implementation to containerd/cri#1470 to remove the socat runtime dependency from CRI-O. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This is no longer true as of `containerd` v1.4.0 because [0] removes `socat` dependency for port-forwarding. For lower versions of `containerd`, the error message is descriptive i.e. `"socat": executable file not found in $PATH`. [0] containerd/cri#1470
This is no longer true as of `containerd` v1.4.0 because [0] removes `socat` dependency for port-forwarding. For lower versions of `containerd`, the error message is descriptive i.e. `"socat": executable file not found in $PATH`. [0] containerd/cri#1470 Kubernetes-commit: 64fca6bda7d36b9cc1667aa317896b540d4dcf8c
use goroutines to copy the data from the stream to the TCP
connection, and viceversa, removing the socat dependency.
Quoting Lantao Liu, the logic is as follow:
When one side (either pod side or user side) of portforward
is closed, we should stop port forwarding.
When one side is closed, the io.Copy use that side as source will close,
but the io.Copy use that side as dest won't.
Fixes: #730