rootless+pasta can not use localhost IP address in published ports

[HorseLuke]

Description

Abstract:

When enabling pasta in rootless Docker, users cannot bind ports with the localhost IP address, making published ports unreachable.

Detail:

In the doc "Published ports", it states:

If you include the localhost IP address (127.0.0.1, or ::1) with the publish flag, only the Docker host and its containers can access the published container port.

This works fine in slirp4netns, but not in pasta.

When the Docker daemon runs in rootless+pasta mode, the Docker host cannot access port XXX when running with the parameter "-p 127.0.0.1:XXX:YYY". It always results in a connection reset. Curl will report an error: [Connection reset by peer] (curl: (56) Recv failure: Connection reset by peer).

In some scenarios, this is not secure because it cannot be limited to binding to 127.0.0.1.

Reproduce

1. Install fresh debian 12, then install pasta for user root.

2. Go to abc user, command:

sudo -u abc /bin/bash

3. install docker in rootless mode for user abc.

4. change slirp4netns to pasta in docker rootless service file. Restart rootless docker.

5. run docker run command, without localhost IP address in published ports:

docker run --name test-nginx --rm -p 9999:80 nginx:1.27.2-bookworm

6. run curl command in another terminal:

curl -v http://127.0.0.1:9999

7. stop step 5, then run docker run command, with localhost IP address in published ports:

docker run --name test-nginx --rm -p 127.0.0.1:9999:80 nginx:1.27.2-bookworm

8. run curl command in another terminal:

curl -v http://127.0.0.1:9999

Expected behavior

Expected:

Step 6 and step 8 sould produce same http ok result.

curl -v http://127.0.0.1:9999
*   Trying 127.0.0.1:9999...
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9999
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.27.2
...

Actual:

Step 8 error:

abc@dev:~$ curl -v http://127.0.0.1:9999
*   Trying 127.0.0.1:9999...
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9999
> User-Agent: curl/7.88.1
> Accept: */*
> 
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

docker version

Client: Docker Engine - Community
Version: 27.3.1
API version: 1.47
Go version: go1.22.7
Git commit: ce12230
Built: Fri Sep 20 11:41:11 2024
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 27.3.1
API version: 1.47 (minimum version 1.24)
Go version: go1.22.7
Git commit: 41ca978
Built: Fri Sep 20 11:41:11 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.22
GitCommit: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
runc:
Version: 1.1.14
GitCommit: v1.1.14-0-g2c9f560
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.3.1
ApiVersion: 1.1.1
NetworkDriver: pasta
StateDir: /run/user/1001/dockerd-rootless

docker info

Client: Docker Engine - Community
Version: 27.3.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.17.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.7
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 27.3.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
runc version: v1.1.14-0-g2c9f560
init version: de40ad0
Security Options:
seccomp
Profile: builtin
rootless
cgroupns
Kernel Version: 6.1.0-26-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.6GiB
Name: vm2
ID: 6b9367f5-d0c4-4c5a-a1bb-452f07fbfe78
Docker Root Dir: /data/abc/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional Info

/home/abc/.config/docker/daemon.json:

{"data-root":"/data/abc/docker"}

/home/abc/.config/systemd/user/docker.service.d/override.conf:

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit

Other command:

abc@dev:~$ apt list --installed|grep passt
passt/now 5e93bcd-1 all [installed,local]
(install from https://passt.top/builds/latest/x86_64/)


abc@dev:~$ systemctl --user status docker --no-pager --full
● docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/abc/.config/systemd/user/docker.service; enabled; preset: enabled)
    Drop-In: /home/abc/.config/systemd/user/docker.service.d
             └─override.conf
     Active: active (running) since Fri 2024-11-08 10:57:54 CST; 59min ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 443 (rootlesskit)
      Tasks: 41
     Memory: 423.0M
        CPU: 25.879s
     CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/docker.service
             ├─443 rootlesskit --state-dir=/run/user/1001/dockerd-rootless --net=pasta --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─456 /proc/self/exe --state-dir=/run/user/1001/dockerd-rootless --net=pasta --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─485 pasta --stderr --ns-ifname=tap0 --mtu=1500 --config-net --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2 --dns-forward=10.0.2.3 --no-map-gw --ipv4-only --tcp-ports=auto --udp-ports=auto 456
             ├─488 dockerd
             └─541 containerd --config /run/user/1001/docker/containerd/containerd.toml

[the-hotmann]

@HorseLuke is this maybe related to my ticket: #48844
Can you try iptables -t nat -F on the host and check if things work after the execution of this command?

[sbrivio-rh]

This looks like the reverse of containers/podman#24045 -- there, it was expected instead (more reasonably?) that we would not expose ports bound to loopback addresses.

Do you have a way to give pasta options? The behaviour we had before fixing the issue I mentioned can be restored with --host-lo-to-ns-lo.

In the long term, I guess it would make more sense to publish those ports on 0.0.0.0 or ::, and then use nftables to restrict access to the desired hosts/containers.

[sbrivio-rh]

@HorseLuke is this maybe related to my ticket: #48844

Not really, note that this worked with slirp4netns but it doesn't work with pasta, so I don't think that firewalling rules are involved.

[sbrivio-rh]

This looks like the reverse of containers/podman#24045 -- there, it was expected instead (more reasonably?) that we would not expose ports bound to loopback addresses.

Ah, no, wait, that one was about binding to 127.0.0.1 inside the container. This issue is about publishing with 127.0.0.1. Connection resets are actually not expected in that case, I'll need to have a look.

[HorseLuke]

Do you have a way to give pasta options? The behaviour we had before fixing the issue I mentioned can be restored with --host-lo-to-ns-lo.

Well, all options are from default installation, I didn't change any other options.

In the long term, I guess it would make more sense to publish those ports on 0.0.0.0 or ::, and then use nftables to restrict access to the desired hosts/containers.

Now I use firewalld to restrict access in hosts, but will increase ops complexity.

[sbrivio-rh]

@HorseLuke I can't reproduce this:

$ ps aux|grep "name test-nginx"|head -1
sbrivio     4617  0.0  0.3 1995092 31276 pts/1   Sl+  18:03   0:00 docker run --name test-nginx8 --rm -p 127.0.0.1:9999:80 nginx:1.27.2-bookworm
$ ps aux|grep " pasta"|head -1
sbrivio     4227  1.2  0.3  63620 29596 ?        S    18:02   0:07 pasta --foreground --stderr --ns-ifname=tap0 --mtu=1500 --no-dhcp --no-ra --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2 --dns-forward=10.0.2.3 --no-map-gw --ipv4-only --tcp-ports=auto --udp-ports=auto 4205
$ curl http://127.0.0.1:9999|head -1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   615  100   615    0     0   401k      0 --:--:-- --:--:-- --:--:--  600k
<!DOCTYPE html>

With:

$ rootlesskit --version
rootlesskit version 2.2.0+dev
$ pasta --version|head -1
pasta 0.0~git20241121.238c69f-1
$ docker --version
Docker version 27.3.1, build ce12230
$ /sbin/iptables --version
iptables v1.8.9 (nf_tables)

Maybe it's really somehow related to #48844? Could you make an effort and find out where your HTTP connection attempt stops (look at nft/iptables counters, tcpdump -i lo port 9999, etc.).

[AkihiroSuda]

Should be solved in:

• pasta: set --host-lo-to-ns-lo; CI: update pasta rootless-containers/rootlesskit#482

[HorseLuke]

Confirm issue resolved. Thanks @AkihiroSuda !

Test pass environment:

term@dev:~$ rootlesskit --version
rootlesskit version 2.3.2

term@dev:~$ pasta --version
pasta 2025_01_21.4f2c8e7-2-gdd6a685
(...ignore...)

term@dev:~$ ps -aux|grep pasta
(...ignore...)
term    11376  1.4  0.0  67104 21344 ?        Ss   16:00   0:02 pasta --stderr --ns-ifname=tap0 --mtu=1500 --config-net --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2 --dns-forward=10.0.2.3 --no-map-gw --ipv4-only --tcp-ports=auto --udp-ports=auto --host-lo-to-ns-lo 11347
(...ignore...)