Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port forwarding fails #11019

Closed
nt opened this issue Oct 10, 2024 · 4 comments
Closed

Port forwarding fails #11019

nt opened this issue Oct 10, 2024 · 4 comments
Labels
type: bug Something isn't working

Comments

@nt
Copy link

nt commented Oct 10, 2024

Description

We run nc -l 7777 in a gvisor container and are not able to connect to it using port-forwarding.

runsc-fails-to-port-forward.log

Steps to reproduce

I produced the logs by running:

  • sudo ~/runsc -network=sandbox -debug --alsologtostderr -overlay2=all:memory run nt-test28 2>&1 | sudo tee runsc-fails-to-port-forward.log
  • sudo ~/runsc port-forward nt-test28 7777:7777
  • wget http://0.0.0.0:7777/

runsc version

runsc version release-20241007.0
spec: 1.1.0-rc.1

(I tried a more recent version but ran into this issue #10944

Note: we run this from whithin a containerd container.

docker version (if using docker)

No response

uname

Linux nt-test-sandboxing-77dd9dfb8f-w79m7 5.10.213-201.855.amzn2.x86_64 #1 SMP Mon Mar 25 18:16:11 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

Client Version: v1.29.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.3-eks-a18cd3a

repo state (if built from source)

No response

runsc debug logs (if available)

No response
@nt nt added the type: bug Something isn't working label Oct 10, 2024
@nt
Copy link
Author

nt commented Oct 10, 2024
edited
Loading

I was able to repro in a virtualbox (no containerd) running ubuntu/jammy:

vboxuser@Ubuntu:~$ runsc -version
runsc version release-20241007.0
spec: 1.1.0-rc.1

vboxuser@Ubuntu:~$ uname -a
Linux Ubuntu 6.8.0-40-generic #40~22.04.3-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 30 17:53:10 UTC 2 aarch64 aarch64 aarch64 GNU/Linux

another-fail.log

@milantracy
Copy link
Contributor

Thanks for posting the issue.

It is a known issue which I am working on.

Out of curious, do you plan to use port forward at k8s or use it with runsc directly

@nt
Copy link
Author

nt commented Oct 11, 2024

I plan on using runsc directly (but within a containerd).

It is a known issue which I am working on.

Is this a regression or it never worked? Is the only way to expose services running in gvisor through host networking?

@nt
Copy link
Author

nt commented Oct 11, 2024

After some more digging I was able to get port-forwarding working with sandbox networking.

The issues was not setting up the network namespace and link prior to launching the sandbox (I did not realize this is something I needed to do).

Steps I took to make it work:

On the host

sudo ip netns add net1
sudo ip netns add net2
sudo ip link add veth1 netns net1 type veth peer name veth2 netns net2
sudo ip netns exec net1 ip link set lo up
sudo ip netns exec net2 ip link set lo up
ip netns exec net1 ip addr add 10.0.0.1/24 dev veth1
ip netns exec net2 ip addr add 10.0.0.2/24 dev veth2

I also edited my config.json to include

    "linux": {
        "namespaces": [
            {
                "type": "network",
                "path": "/var/run/netns/net2"
            },
            ....
        ]
    }

After that set up, port forwarding works. Thanks for looking, I'll be closing the issue.

@nt nt closed this as completed Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nt @milantracy