support slirp4netns --disable-host-loopback

See rootless-containers/slirp4netns#50, rootless-containers/slirp4netns#63 Fix #32 Signed-off-by: Akihiro Suda <[email protected]>
rootless-containers · Jan 13, 2019 · a15ff1c · a15ff1c
1 parent 16c6c0f
commit a15ff1c
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -102,7 +102,7 @@ USAGE:
    rootlesskit [global options] command [command options] [arguments...]
 
 VERSION:
-   0.2.0+dev
+   0.3.0-alpha.0
 
 COMMANDS:
      help, h  Shows a list of commands or help for one command
@@ -115,6 +115,7 @@ GLOBAL OPTIONS:
    --vpnkit-binary value       path of VPNKit binary for --net=vpnkit (default: "vpnkit")
    --mtu value                 MTU for non-host network (default: 65520 for slirp4netns, 1500 for others) (default: 0)
    --cidr value                CIDR for slirp4netns network (default: 10.0.2.0/24, requires slirp4netns v0.3.0+ for custom CIDR)
+   --disable-host-loopback     prohibit connecting to 127.0.0.1:* on the host namespace
    --copy-up value             mount a filesystem and copy-up the contents. e.g. "--copy-up=/etc" (typically required for non-host network)
    --copy-up-mode value        copy-up mode [tmpfs+symlink] (default: "tmpfs+symlink")
    --port-driver value         port driver for non-host network. [none, socat] (default: "none")
@@ -181,6 +182,8 @@ Default network configuration for `--net=vpnkit`:
 
 `--net=slirp4netns` supports specifying custom CIDR, e.g. `--cidr=10.0.3.0/24` (requires slirp4netns v0.3.0+)
 
+It is highly recommended to disable host loopback address by specyfing `--disable-host-loopback`.
+
 ### Port forwarding
 
 `rootlessctl` can be used for exposing the ports in the network namespace to the host network namespace.

diff --git a/cmd/rootlesskit/main.go b/cmd/rootlesskit/main.go
@@ -64,6 +64,10 @@ func main() {
 			Name:  "cidr",
 			Usage: "CIDR for slirp4netns network (default: 10.0.2.0/24, requires slirp4netns v0.3.0+ for custom CIDR)",
 		},
+		cli.BoolFlag{
+			Name:  "disable-host-loopback",
+			Usage: "prohibit connecting to 127.0.0.1:* on the host namespace",
+		},
 		cli.StringSliceFlag{
 			Name:  "copy-up",
 			Usage: "mount a filesystem and copy-up the contents. e.g. \"--copy-up=/etc\" (typically required for non-host network)",
@@ -148,6 +152,10 @@ func createParentOpt(clicontext *cli.Context) (*parent.Opt, error) {
 	if err != nil {
 		return nil, err
 	}
+	disableHostLoopback := clicontext.Bool("disable-host-loopback")
+	if !disableHostLoopback {
+		logrus.Warn("specifying --disable-host-loopback is highly recommended to prohibit connecting to 127.0.0.1:* on the host namespace (requires slirp4netns v0.3.0+ or VPNKit)")
+	}
 	switch s := clicontext.String("net"); s {
 	case "host":
 		// NOP
@@ -162,21 +170,23 @@ func createParentOpt(clicontext *cli.Context) (*parent.Opt, error) {
 		if _, err := exec.LookPath(binary); err != nil {
 			return nil, err
 		}
-		opt.NetworkDriver = slirp4netns.NewParentDriver(binary, mtu, ipnet)
+		opt.NetworkDriver = slirp4netns.NewParentDriver(binary, mtu, ipnet, disableHostLoopback)
 	case "vpnkit":
 		if ipnet != nil {
 			return nil, errors.New("custom cidr is supported only for --net=slirp4netns (with slirp4netns v0.3.0+)")
 		}
-
 		binary := clicontext.String("vpnkit-binary")
 		if _, err := exec.LookPath(binary); err != nil {
 			return nil, err
 		}
-		opt.NetworkDriver = vpnkit.NewParentDriver(binary, mtu)
+		opt.NetworkDriver = vpnkit.NewParentDriver(binary, mtu, disableHostLoopback)
 	case "vdeplug_slirp":
 		if ipnet != nil {
 			return nil, errors.New("custom cidr is supported only for --net=slirp4netns (with slirp4netns v0.3.0+)")
 		}
+		if disableHostLoopback {
+			return nil, errors.New("--disable-host-loopback is not supported for vdeplug_slirp")
+		}
 		opt.NetworkDriver = vdeplugslirp.NewParentDriver(mtu)
 	default:
 		return nil, errors.Errorf("unknown network mode: %s", s)

diff --git a/pkg/network/slirp4netns/slirp4netns.go b/pkg/network/slirp4netns/slirp4netns.go
@@ -19,7 +19,9 @@ import (
 // NewParentDriver instantiates new parent driver.
 // ipnet is supported only for slirp4netns v0.3.0+.
 // ipnet MUST be nil for slirp4netns < v0.3.0.
-func NewParentDriver(binary string, mtu int, ipnet *net.IPNet) network.ParentDriver {
+//
+// disableHostLoopback is supported only for slirp4netns v0.3.0+
+func NewParentDriver(binary string, mtu int, ipnet *net.IPNet, disableHostLoopback bool) network.ParentDriver {
 	if binary == "" {
 		panic("got empty slirp4netns binary")
 	}
@@ -30,18 +32,20 @@ func NewParentDriver(binary string, mtu int, ipnet *net.IPNet) network.ParentDri
 		mtu = 65520
 	}
 	return &parentDriver{
-		binary: binary,
-		mtu:    mtu,
-		ipnet:  ipnet,
+		binary:              binary,
+		mtu:                 mtu,
+		ipnet:               ipnet,
+		disableHostLoopback: disableHostLoopback,
 	}
 }
 
 const opaqueTap = "slirp4netns.tap"
 
 type parentDriver struct {
-	binary string
-	mtu    int
-	ipnet  *net.IPNet
+	binary              string
+	mtu                 int
+	ipnet               *net.IPNet
+	disableHostLoopback bool
 }
 
 func (d *parentDriver) MTU() int {
@@ -56,6 +60,9 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir string) (*common.
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	opts := []string{"--mtu", strconv.Itoa(d.mtu)}
+	if d.disableHostLoopback {
+		opts = append(opts, "--disable-host-loopback")
+	}
 	if d.ipnet != nil {
 		opts = append(opts, "--cidr", d.ipnet.String())
 	}

diff --git a/pkg/network/vpnkit/vpnkit.go b/pkg/network/vpnkit/vpnkit.go
@@ -20,7 +20,7 @@ import (
 	"github.com/rootless-containers/rootlesskit/pkg/network"
 )
 
-func NewParentDriver(binary string, mtu int) network.ParentDriver {
+func NewParentDriver(binary string, mtu int, disableHostLoopback bool) network.ParentDriver {
 	if binary == "" {
 		panic("got empty vpnkit binary")
 	}
@@ -35,8 +35,9 @@ func NewParentDriver(binary string, mtu int) network.ParentDriver {
 		// NOTE: iperf3 stops working with MTU >= 16425
 	}
 	return &parentDriver{
-		binary: binary,
-		mtu:    mtu,
+		binary:              binary,
+		mtu:                 mtu,
+		disableHostLoopback: disableHostLoopback,
 	}
 }
 
@@ -47,8 +48,9 @@ const (
 )
 
 type parentDriver struct {
-	binary string
-	mtu    int
+	binary              string
+	mtu                 int
+	disableHostLoopback bool
 }
 
 func (d *parentDriver) MTU() int {
@@ -60,6 +62,9 @@ func (d *parentDriver) ConfigureNetwork(childPID int, stateDir string) (*common.
 	vpnkitSocket := filepath.Join(stateDir, "vpnkit-ethernet.sock")
 	vpnkitCtx, vpnkitCancel := context.WithCancel(context.Background())
 	vpnkitCmd := exec.CommandContext(vpnkitCtx, d.binary, "--ethernet", vpnkitSocket, "--mtu", strconv.Itoa(d.mtu))
+	if d.disableHostLoopback {
+		vpnkitCmd.Args = append(vpnkitCmd.Args, "--host-ip", "0.0.0.0")
+	}
 	vpnkitCmd.SysProcAttr = &syscall.SysProcAttr{
 		Pdeathsig: syscall.SIGKILL,
 	}