On both Mac and Windows we have one well-known port and a SOCKS-like
port to tunnel connections through it. This was necessary on Windows
where ports have well-known GUIDs, but we might as well do it the same
way on both platforms for consistency.
This patch removes the dynamic binding of vsock ports, which fails on
a Windows Moby anyway.
Signed-off-by: David Scott <dave.scott@docker.com>
We now tell the 9P server
proto1:ip1:port1:<address for forwarding>
which means please listen on proto1:ip1:port1, then connect to the port
proxy in Moby and tell it the connection is for <address for forwarding>.
Note this requires a corresponding change in hostnet/vpnkit.
Signed-off-by: David Scott <dave.scott@docker.com>
On a Hyper-V system we can only register one listening endpoint (with
a GUID), so we need to accept connections, read a header and then
start the proxy.
If the binary has argv[0] == "proxy-vsockd" then run this new frontend.
Signed-off-by: David Scott <dave.scott@docker.com>
Previously the proxy would listen only on the vsock port, which is
fine for accessing the port on the host, but if a container also wants
to access the port (e.g. via `--net=host` and using the Moby IP) then
we need to listen on the IP too.
Related to [docker/pinata#2854]
Signed-off-by: David Scott <dave.scott@docker.com>
- the initial length field should be the total length of the whole
frame including the variable length field and including the length
field
- when unmarshalling, return the number of bytes of payload actually
unmarshalled and not the size of the unmarshal buffer
Signed-off-by: David Scott <dave.scott@docker.com>
The 9P operations tell the host to connect to the vsock port in the
UDP case, so always listen before sending the 9P request.
Signed-off-by: David Scott <dave.scott@docker.com>
Since the header is variable length it's useful to write a length
field first, so the peer can read the rest of the packet as a block.
Signed-off-by: David Scott <dave.scott@docker.com>
A net.UDPListener is the datagram equivalent of a net.Conn. This patch
accepts at most one connection from vsock and attempts to read and write
UDP datagrams along it.
Signed-off-by: David Scott <dave.scott@docker.com>
This represents what is needed from the frontend side of the proxy:
- the ability to receive a UDP datagram and know who it is from
- the ability to send a UDP datagram to a particular destination
- the ability to close
Signed-off-by: David Scott <dave.scott@docker.com>
The proxy process command-line arguments assume we're exposing TCP
or UDP ports on Moby's public IPs. Instead we're forwarding over vsock
where we must map the Moby ports onto vsock ports. Normally TCP and
UDP ports are different, but with vsock there is only one space of
port numbers so we have to map them into different ranges.
This patch maps Moby ports as follows:
- TCP port x onto vsock port 0x10000 + x
- UDP port x onto vsock port 0x20000 + x
Signed-off-by: David Scott <dave.scott@docker.com>
This seems to be a difference between the AF_VSOCK and AF_INET
implementations. We work around it by exiting the proxy process
immediately, which will clean up resources anyway.
Signed-off-by: David Scott <dave.scott@docker.com>
- don't try to create a `FileConn` because the Go library sees through
the scam and rejects it
- explicitly keep a reference to the `ctl` file just in case the GC
decides its dead and should be closed.
Signed-off-by: David Scott <dave.scott@docker.com>
The port will be automatically removed when the fd/fid is closed by
a process exit/crash, or by a hypervisor crash.
Signed-off-by: David Scott <dave.scott@docker.com>
The `NewProxy` function already knows how to deal with `net.UDPAddr`
and `net.TCPAddr`, this patch adds similar support for `vsock.VsockAddr`.
Signed-off-by: David Scott <dave.scott@docker.com>
This patch adds a wrapper around the `net.Conn` to include the
`CloseRead` and `CloseWrite` implementations. This patch also
exposes the `VsockAddr` type, which is similar to `TCPAddr` and
`UDPAddr`.
Signed-off-by: David Scott <dave.scott@docker.com>
We require the frontend to be a `net.Listener` and the `net.Conn`
connection which are established must be type-switched to
`Conn` to support the `CloseRead` and `CloseWrite` methods.
Signed-off-by: David Scott <dave.scott@docker.com>
The TCPProxy can proxy from anything which satisfies this interface:
type Conn interface {
io.Reader
io.Writer
io.Closer
CloseRead() error
CloseWrite() error
}
Signed-off-by: David Scott <dave.scott@docker.com>
This package supports a more normal Go interface, in particular it has:
// Listen returns a net.Listener which can accept connections on the given
// vhan port.
func Listen(port uint) (net.Listener, error)
Signed-off-by: David Scott <dave.scott@docker.com>
Note there is a slight name clash between the final binary 'proxy'
and the library formerly known as 'proxy'. Resolve this by calling
the library 'libproxy'.
Signed-off-by: David Scott <dave.scott@docker.com>
A future version of the 9P server will shutdown the forward on 9P
clunk, so if this process crashes the forward will be cleaned up
properly.
Signed-off-by: David Scott <dave.scott@docker.com>
When requesting a port forward we currently need to know the VM's
address from the point of view of the port forwarder. The easiest way to
discover this is to read it from the existing "docker" port forward.
Note this should all be revamped once we have vsock support.
Signed-off-by: David Scott <dave.scott@docker.com>
This patch removes `proxyForever` and adds `sendError` and `sendOK` for
signalling to the parent process. The main function now sequences these
functions and calls stub functions `exposePort` and `unexposePort` which
will be hooked up in a later patch.
Signed-off-by: David Scott <dave.scott@docker.com>
Previously the proxy.go would directly call `os.Exit`. This patch
causes control to return to `main` where we can tear down any port
forward.
Signed-off-by: David Scott <dave.scott@docker.com>
Previously `execProxy` would
- create the proxy
- signal success/failure to the parent
- run forever (until signalled)
Since we want to add more proxy setup and teardown, this patch
removes the proxy creation from `execProxy` and renames it to
`proxyForever`. Later patches will be able to perform the necessary
side-effects before signalling success to the parent.
Signed-off-by: David Scott <dave.scott@docker.com>
