This means that multiple builds will not conflict, so we can
remove the lock from the CI. Also quieter when no errors.
Some still left to do, only done the ones used in build and CI
initially. Some of the others will be cleaned up anyway later.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Model for the others, make sure dependencies are correct and that
only the exactly correct things are passed to Docker. No longer copy
vendor directory.
Signed-off-by: Justin Cormack <justin@specialbusservice.com>
The purpose of the `slirp-proxy` is to expose ports on the Mac or
Windows host. In d5bd7d690a we added
an additional `Listen` inside the VM for backwards compatibility
with software that expected to be able to listen on `0.0.0.0` in
one container and then access this easily from other containers
using an IP bound to the VM (instead of using a first-class network
to connect the containers or discovering a real IP of the host).
Before this patch we could only expose ports on if the Listen
succeeds on both the host and the VM. In practice this meant that
we could only expose ports on `0.0.0.0` and `127.0.0.1`; attempts
to expose ports on specific interfaces on the host would fail.
This patch treats the EADDRNOTAVAIL error from the Listen inside
the VM as a soft failure, and still attempts to Listen on the host.
If the Listen on the host fails it is still a hard failure.
This allows ports to be exposed on specific IPs used on the host.
Fixes [docker/pinata#5080]
Signed-off-by: David Scott <dave.scott@docker.com>
docker itself seems to bind to the port globally inside Moby, so we
get an EADDRINUSE if we try to do it too.
Signed-off-by: David Scott <dave.scott@docker.com>
This allows the proxy to be run easily from a terminal or other script
without requiring fd 3 to be open and writable.
Signed-off-by: David Scott <dave.scott@docker.com>
Linux xargs calls the command with no arguments if it gets no inputs, which
`docker rmi` complains about. It provides -r / --no-run-if-empty to prevent
this but unfortunately this isn't supported on OSX.
Ignore errors from `docker rmi` so that `make clean` will keep going and clean
up later stuff.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
On both Mac and Windows we have one well-known port and a SOCKS-like
port to tunnel connections through it. This was necessary on Windows
where ports have well-known GUIDs, but we might as well do it the same
way on both platforms for consistency.
This patch removes the dynamic binding of vsock ports, which fails on
a Windows Moby anyway.
Signed-off-by: David Scott <dave.scott@docker.com>
We now tell the 9P server
proto1:ip1:port1:<address for forwarding>
which means please listen on proto1:ip1:port1, then connect to the port
proxy in Moby and tell it the connection is for <address for forwarding>.
Note this requires a corresponding change in hostnet/vpnkit.
Signed-off-by: David Scott <dave.scott@docker.com>
On a Hyper-V system we can only register one listening endpoint (with
a GUID), so we need to accept connections, read a header and then
start the proxy.
If the binary has argv[0] == "proxy-vsockd" then run this new frontend.
Signed-off-by: David Scott <dave.scott@docker.com>
Previously the proxy would listen only on the vsock port, which is
fine for accessing the port on the host, but if a container also wants
to access the port (e.g. via `--net=host` and using the Moby IP) then
we need to listen on the IP too.
Related to [docker/pinata#2854]
Signed-off-by: David Scott <dave.scott@docker.com>
- the initial length field should be the total length of the whole
frame including the variable length field and including the length
field
- when unmarshalling, return the number of bytes of payload actually
unmarshalled and not the size of the unmarshal buffer
Signed-off-by: David Scott <dave.scott@docker.com>
The 9P operations tell the host to connect to the vsock port in the
UDP case, so always listen before sending the 9P request.
Signed-off-by: David Scott <dave.scott@docker.com>
Since the header is variable length it's useful to write a length
field first, so the peer can read the rest of the packet as a block.
Signed-off-by: David Scott <dave.scott@docker.com>
A net.UDPListener is the datagram equivalent of a net.Conn. This patch
accepts at most one connection from vsock and attempts to read and write
UDP datagrams along it.
Signed-off-by: David Scott <dave.scott@docker.com>
This represents what is needed from the frontend side of the proxy:
- the ability to receive a UDP datagram and know who it is from
- the ability to send a UDP datagram to a particular destination
- the ability to close
Signed-off-by: David Scott <dave.scott@docker.com>
The proxy process command-line arguments assume we're exposing TCP
or UDP ports on Moby's public IPs. Instead we're forwarding over vsock
where we must map the Moby ports onto vsock ports. Normally TCP and
UDP ports are different, but with vsock there is only one space of
port numbers so we have to map them into different ranges.
This patch maps Moby ports as follows:
- TCP port x onto vsock port 0x10000 + x
- UDP port x onto vsock port 0x20000 + x
Signed-off-by: David Scott <dave.scott@docker.com>
This seems to be a difference between the AF_VSOCK and AF_INET
implementations. We work around it by exiting the proxy process
immediately, which will clean up resources anyway.
Signed-off-by: David Scott <dave.scott@docker.com>
- don't try to create a `FileConn` because the Go library sees through
the scam and rejects it
- explicitly keep a reference to the `ctl` file just in case the GC
decides its dead and should be closed.
Signed-off-by: David Scott <dave.scott@docker.com>
The port will be automatically removed when the fd/fid is closed by
a process exit/crash, or by a hypervisor crash.
Signed-off-by: David Scott <dave.scott@docker.com>
The `NewProxy` function already knows how to deal with `net.UDPAddr`
and `net.TCPAddr`, this patch adds similar support for `vsock.VsockAddr`.
Signed-off-by: David Scott <dave.scott@docker.com>
