Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ExposedPorts to Inspect's ContainerConfig #24110

Merged
merged 1 commit into from
Oct 2, 2024

Conversation

mheon
Copy link
Member

@mheon mheon commented Sep 30, 2024

A field we missed versus Docker. Matches the format of our existing Ports list in the NetworkConfig, but only includes exposed ports (and maps these to struct{}, as they never go to real ports on the host).

Fixes https://issues.redhat.com/browse/RHEL-60382

Does this PR introduce a user-facing change?

Added a new field to the output of inspect for containers, `Config.ExposedPorts`, which includes all exposed ports from the container, improving our Docker compatibility.

@openshift-ci openshift-ci bot added release-note approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 30, 2024
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WE do seems to set exposed ports in the compat API (pkg/api/handlers/compat/containers.go) but there it seems to read of the ports setting so this seems wrong and should be updated now.

Given the code there I also did another test on an image with no exposed ports

[root@fedora ~]# docker run --name test3 -d -p 8081:1234  alpine sleep 1000
323c1996cf21b1148f12cac52be99bcf187210953a4360a77c274a6f04dbf874
[root@fedora ~]# docker inspect --format '{{json .Config.ExposedPorts}}' test3
{"1234/tcp":{}}
[root@fedora ~]# docker inspect --format '{{json .NetworkSettings.Ports}}' test3
{"1234/tcp":[{"HostIp":"0.0.0.0","HostPort":"8081"},{"HostIp":"::","HostPort":"8081"}]}

So it seems even if there is no port exposed and only published it will still show under exposed ports. I do not think your code behaves the same way in that regard

@mheon
Copy link
Member Author

mheon commented Sep 30, 2024

Yep, I'll sneak that fix in.

@mheon mheon force-pushed the fix_rhel_60382_round_2 branch from 1cad35f to 006c953 Compare September 30, 2024 13:25
@github-actions github-actions bot added the kind/api-change Change to remote API; merits scrutiny label Sep 30, 2024
@mheon mheon force-pushed the fix_rhel_60382_round_2 branch 2 times, most recently from ba52a12 to 6026b95 Compare September 30, 2024 13:57
@mheon
Copy link
Member Author

mheon commented Sep 30, 2024

@Luap99 Can you check what happens with --net=container: with non-expose port mappings being included? Do we get the other container's mappings?

@Luap99
Copy link
Member

Luap99 commented Sep 30, 2024

@Luap99 Can you check what happens with --net=container: with non-expose port mappings being included? Do we get the other container's mappings?

This is where test3 has a exposed port:

[root@fedora ~]# docker run --name test4 --network container:test3 -d alpine sleep 1000
36789e49da5324ce7d8ed71d1fbbdfc2458f80b6e033bdd995fe3ecd66a6a49a
[root@fedora ~]# docker inspect --format '{{json .NetworkSettings.Ports}}' test4
{}
[root@fedora ~]# docker inspect --format '{{json .Config.ExposedPorts}}' test4
null

So there do not include thee network info for the dependency container so this seems different from our podman logic in getContainerNetworkInfo() where we lookup the netns container first and then use that. But I guess as exposed ports are handled outside of that we can fix it at least for them

@mheon mheon force-pushed the fix_rhel_60382_round_2 branch 2 times, most recently from 400080c to 0fec8d1 Compare September 30, 2024 16:09
Comment on lines 472 to 474
for _, mapping := range c.config.PortMappings {
for i := range mapping.Range {
exposedPorts[fmt.Sprintf("%d/%s", mapping.ContainerPort + i, mapping.Protocol)] = struct{}{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the type documentation describes the protocol ass comma separated value which other callers looping over it respect, i.e. makeInspectPortBindings()

That should be impossible in practise to get here as our port validation on container creation should split them out per protocol but I think we shoould try to keep this looping consistent. I wonder if we need a helper function to correctly iterate over them. I think go 1.23 even added support for actual iterators so we could define a custom one.

Looking at nv it seems we ignore that possibility there so maybe it is to late anyway and we should simplify our looping in the other places instead and ensure that our port parsing will never add ports with comma separated protocols.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of changing iteration, would you mind if I just add validation to the libpod container create code to make sure no port includes a comma-separated protocol list? I think, for sanity's sake, we should guarantee protocol is a single protocol per PortMapping struct within libpod.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah that would work for me, though looking at the code I think it is guaranteed today already

name: "one port three protocols",

I am not sure where you would add the validation? In the With...() libpod functions where we pass the ports? With the current code the risk is that we missing parsing the ports somewhere I guess

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd probably do it in container_validate.go to ensure it happens after we have a complete config, just in case.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good to me

@mheon mheon force-pushed the fix_rhel_60382_round_2 branch from 0fec8d1 to d0b0864 Compare September 30, 2024 18:25
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@mheon mheon force-pushed the fix_rhel_60382_round_2 branch from d0b0864 to 5a20dd5 Compare September 30, 2024 19:20
A field we missed versus Docker. Matches the format of our
existing Ports list in the NetworkConfig, but only includes
exposed ports (and maps these to struct{}, as they never go to
real ports on the host).

Fixes https://issues.redhat.com/browse/RHEL-60382

Signed-off-by: Matt Heon <[email protected]>
@mheon mheon force-pushed the fix_rhel_60382_round_2 branch from 5a20dd5 to edc3dc5 Compare October 1, 2024 11:55
@mheon
Copy link
Member Author

mheon commented Oct 1, 2024

Tests look to be going green, @containers/podman-maintainers PTAL

Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

openshift-ci bot commented Oct 1, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Oct 2, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 2, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 75a6a66 into containers:main Oct 2, 2024
73 checks passed
TomSweeneyRedHat added a commit to TomSweeneyRedHat/podman that referenced this pull request Oct 28, 2024
This fixes an exposed ports issue in RHEL 4.9-rhel for RHEL 9.5.

This includes the fixes from the following PRs:

First PR: containers#24090
Second PR: containers#24110
Third PR: containers#24164

With an additional tweak from @Luap99 in containers#24333
regarding the looping in libpod/container_inspect.go.

This changes is needed in the 5.2-rhel branch to assure successful
upgrades as the same patches have been used for the following issues
in the Podman v4.9-rhel branch

Fixes: https://issues.redhat.com/browse/ACCELFIX-299
Fixes: https://issues.redhat.com/browse/ACCELFIX-300

Signed-off-by: tomsweeneyredhat <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/api-change Change to remote API; merits scrutiny lgtm Indicates that a PR is ready to be merged. release-note
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants