Include exposed ports in inspect output when net=host#24090
Merged
openshift-merge-bot[bot] merged 1 commit intocontainers:mainfrom Sep 27, 2024
Merged
Include exposed ports in inspect output when net=host#24090openshift-merge-bot[bot] merged 1 commit intocontainers:mainfrom
openshift-merge-bot[bot] merged 1 commit intocontainers:mainfrom
Conversation
Luap99
reviewed
Sep 27, 2024
pkg/specgen/generate/namespaces.go
Outdated
Comment on lines
302
to
307
Member
There was a problem hiding this comment.
I don't like this, what makes host special compared to container/pod? I would assume docker treats all the same?
Logically it seems it would be much cleaner to pass the ports outside of this switch for all net modes and then remove the expose ports from WithNetNS() to simply there.
Member
There was a problem hiding this comment.
Ok it seems to be inconsistent on the docker side as well
docker run --network container:c1 --name c2 --expose 80/tcp -d alpine sleep 1000
docker: Error response from daemon: conflicting options: port exposing and the container type network mode.
See 'docker run --help'.
[root@fedora ~]# docker run --network host --name c2 --expose 80/tcp -d alpine sleep 1000
cfec8194400a44235ef707f7ee838a89c973fed6a20e94528ee12d3793a99f62
However at the same time using an image that contains exposed ports is allowed
# docker run --network container:c1 --name c2 -d nginx sleep 1000
# docker inspect --format "{{json .Config.ExposedPorts}}" c2
{"80/tcp":{}}
So overall I think we should allow the exposed ports for all network modes.
test/e2e/run_networking_test.go
Outdated
Comment on lines
458
to
460
Member
There was a problem hiding this comment.
This seems unnecessary as we always do cleanup in e2e.
fe8ef38 to
130c7ff
Compare
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Previously, we didn't bother including exposed ports in the container config when creating a container with --net=host. Per Docker this isn't really correct; host-net containers are still considered to have exposed ports, even though that specific container can be guaranteed to never use them. We could just fix this for host container, but we might as well make it generic. This patch unconditionally adds exposed ports to the container config - it was previously conditional on a network namespace being configured. The behavior of `podman inspect` with exposed ports when using `--net=container:` has also been corrected. Previously, we used exposed ports from the container sharing its network namespace, which was not correct. Now, we use regular port bindings from the namespace container, but exposed ports from our own container. Fixes https://issues.redhat.com/browse/RHEL-60382 Signed-off-by: Matt Heon <mheon@redhat.com>
130c7ff to
a619c03
Compare
Member
|
/lgtm |
mheon
added a commit
to mheon/libpod
that referenced
this pull request
Oct 4, 2024
Undoing some of my own work here from containers#24090 now that we have the ExposedPorts field implemented in inspect. I considered a revert of that patch, but it's still needed as without it we'd be including exposed ports when --net=container which is not correct. Basically, exposed ports for a container should always go in the new ExposedPorts field we added. They sometimes go in the Ports field in NetworkSettings, but only when the container is not net=host and not net=container. We were always including exposed ports, which was not correct, but is an easy logical fix. Also required is a test change to correct the expected behavior as we were testing for incorrect behavior. Fixes https://issues.redhat.com/browse/RHEL-60382 Signed-off-by: Matt Heon <mheon@redhat.com>
TomSweeneyRedHat
pushed a commit
to TomSweeneyRedHat/podman
that referenced
this pull request
Oct 22, 2024
Undoing some of my own work here from containers#24090 now that we have the ExposedPorts field implemented in inspect. I considered a revert of that patch, but it's still needed as without it we'd be including exposed ports when --net=container which is not correct. Basically, exposed ports for a container should always go in the new ExposedPorts field we added. They sometimes go in the Ports field in NetworkSettings, but only when the container is not net=host and not net=container. We were always including exposed ports, which was not correct, but is an easy logical fix. Also required is a test change to correct the expected behavior as we were testing for incorrect behavior. Fixes https://issues.redhat.com/browse/RHEL-60382 Signed-off-by: Matt Heon <mheon@redhat.com> (cherry picked from commit 8061553) Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Luap99
pushed a commit
to TomSweeneyRedHat/podman
that referenced
this pull request
Oct 25, 2024
Undoing some of my own work here from containers#24090 now that we have the ExposedPorts field implemented in inspect. I considered a revert of that patch, but it's still needed as without it we'd be including exposed ports when --net=container which is not correct. Basically, exposed ports for a container should always go in the new ExposedPorts field we added. They sometimes go in the Ports field in NetworkSettings, but only when the container is not net=host and not net=container. We were always including exposed ports, which was not correct, but is an easy logical fix. Also required is a test change to correct the expected behavior as we were testing for incorrect behavior. Fixes https://issues.redhat.com/browse/RHEL-60382 Signed-off-by: Matt Heon <mheon@redhat.com> (cherry picked from commit 8061553) Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
TomSweeneyRedHat
pushed a commit
to TomSweeneyRedHat/podman
that referenced
this pull request
Oct 28, 2024
Undoing some of my own work here from containers#24090 now that we have the ExposedPorts field implemented in inspect. I considered a revert of that patch, but it's still needed as without it we'd be including exposed ports when --net=container which is not correct. Basically, exposed ports for a container should always go in the new ExposedPorts field we added. They sometimes go in the Ports field in NetworkSettings, but only when the container is not net=host and not net=container. We were always including exposed ports, which was not correct, but is an easy logical fix. Also required is a test change to correct the expected behavior as we were testing for incorrect behavior. Fixes https://issues.redhat.com/browse/RHEL-60382 Signed-off-by: Matt Heon <mheon@redhat.com> (cherry picked from commit 8061553) Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
TomSweeneyRedHat
added a commit
to TomSweeneyRedHat/podman
that referenced
this pull request
Oct 28, 2024
This fixes an exposed ports issue in RHEL 4.9-rhel for RHEL 9.5. This includes the fixes from the following PRs: First PR: containers#24090 Second PR: containers#24110 Third PR: containers#24164 With an additional tweak from @Luap99 in containers#24333 regarding the looping in libpod/container_inspect.go. This changes is needed in the 5.2-rhel branch to assure successful upgrades as the same patches have been used for the following issues in the Podman v4.9-rhel branch Fixes: https://issues.redhat.com/browse/ACCELFIX-299 Fixes: https://issues.redhat.com/browse/ACCELFIX-300 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, we didn't bother including exposed ports in the container config when creating a container with --net=host. Per Docker this isn't really correct; host-net containers are still considered to have exposed ports, even though that specific container can be guaranteed to never use them.
The change itself is quite simple. Introduce a simpler way to get exposed ports into the Libpod config (previously only possible via the overarching netns setup function) and use it when making a net=host container. Testing is similarly straightforward.
Fixes https://issues.redhat.com/browse/RHEL-60382
Does this PR introduce a user-facing change?