pasta: set --host-lo-to-ns-lo; CI: update pasta#482
Merged
AkihiroSuda merged 2 commits intorootless-containers:masterfrom Jan 20, 2025
Merged
pasta: set --host-lo-to-ns-lo; CI: update pasta#482AkihiroSuda merged 2 commits intorootless-containers:masterfrom
--host-lo-to-ns-lo; CI: update pasta#482AkihiroSuda merged 2 commits intorootless-containers:masterfrom
Conversation
Member
Author
|
Regression in AkihiroSuda/passt-mirror@2024_09_06.6b38f07...2024_10_30.ee7d0b6
|
Member
Author
|
Regression in https://passt.top/passt/commit/?id=b4dace8f462b346ae2135af1f8d681a99a849a5f "fwd: Direct inbound spliced forwards to the guest's external address" A minimal reproducer w/o Docker: |
Member
Author
AkihiroSuda
changed the title
--host-lo-to-ns-lo; CI: update pasta
Member
Author
|
Updated PR to exec pasta with This flag seems already deprecated, but any chance to undeprecate it? |
Contributor
Oops. I would argue that it's a regression for this specific test, but not for the functionality. That is, But anyway:
...that's something that you and probably some users expected to work, so we definitely have to keep it working. From the related discussion I would say that the only reason why it was introduced directly as deprecated is that, eventually, we would like to replace it with a more generic configuration interface (the runtime port forwarding interface I mentioned a couple of times), where one can say "map x to y" in a generic way. But I would suggest that, until then, you can use it, and I'll make a note to find a working alternative for rootlesskit if we ever drop that option (it won't happen any time soon, anyway). |
thaJeztah
reviewed
Jan 15, 2025
sbrivio-rh
reviewed
Jan 15, 2025
Contributor
AkihiroSuda
changed the title
--host-lo-to-ns-lo; CI: update pasta--host-lo-to-ns-lo; CI: update pasta (also fixes gofmt)
Needed to keep `docker run -p 127.0.0.1:8080:80` functional with passt >= 2024_10_30.ee7d0b6 Signed-off-by: Akihiro Suda <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
changed the title
--host-lo-to-ns-lo; CI: update pasta (also fixes gofmt)--host-lo-to-ns-lo; CI: update pasta
hswong3i
pushed a commit
to alvistack/passt-top-passt
that referenced
this pull request
Feb 17, 2025
It was established behaviour, and it's now the third report about it: users ask how to achieve the same functionality, and we don't have a better answer yet. The idea behind declaring it deprecated to start with, I guess, was that we would eventually replace it by more flexible and generic configuration options, which is still planned. But there's nothing preventing us to alias this in the future to a particular configuration. So, stop scaring users off, and un-deprecate this. Link: https://archives.passt.top/passt-dev/20240925102009.62b9a0ce@elisabeth/ Link: rootless-containers/rootlesskit#482 (comment) Link: moby/moby#48838 Link: containers/podman#25243 Signed-off-by: Stefano Brivio <[email protected]> Reviewed-by: David Gibson <[email protected]>
mhy-pexip
pushed a commit
to pexip/os-passt
that referenced
this pull request
Apr 28, 2025
passt (0.0~git20250320.32f6212-1) unstable; urgency=medium
.
* debian/rules: Install passt-repair profile using dh_apparmor
* control: Update standards version to 4.7.2
* New upstream version 0.0~git20250320.32f6212:
- Fix possible transfer loop in short TCP exchange,
https://bugs.passt.top/show_bug.cgi?id=114
- Several fixes for passt-repair and guest migration,
including https://bugs.passt.top/show_bug.cgi?id=115
- build and send ICMP and ICMPv6 messages to guest for a number
of error conditions
.
passt (0.0~git20250217.a1e48a0-1) unstable; urgency=medium
.
* New upstream version 0.0~git20250217.a1e48a0:
- AppArmor workaround to allow libvirt to use passt
- Option --host-ns-to-lo is not deprecated anymore:
rootless-containers/rootlesskit#482
- Added support for --hostname and --fqdn (DHCP/DHCPv6) options
- Fix wakeup loop in pasta's loopback path when receiver is full:
containers/podman#23686 (comment)
- Add migration support via vhost-user, TCP connections preserved
.
passt (0.0~git20250121.4f2c8e7-1) unstable; urgency=medium
.
* New upstream version 0.0~git20250121.4f2c8e7:
- Don't block UDP multicast and broadcast messages:
containers/podman#24871
- Disable Nagle's algorithm on all TCP paths
- Fix ASSERT() on vhost-user multi-buffer messages
- Fix EPOLLIN event storm with repeated EAGAIN from socket
- Add prototype for vhost-user-based migration
- Set PSH flag at end of TCP batches:
https://bugs.passt.top/show_bug.cgi?id=107
.
passt (0.0~git20241211.09478d5-1) unstable; urgency=medium
.
* New upstream version 0.0~git20241211.09478d5:
- Add vhost-user support in passt (--vhost-user)
- Add --no-splice switch to forcibly disable tap bypass path
- Fix assertion on ping with ID 0:
https://bugs.passt.top/show_bug.cgi?id=105
- Avoid dynamic memory allocation (and seccomp terminating us)
from strerror() in glibc > 2.40:
containers/podman#24804
.
passt (0.0~git20241127.c0fbc7e-1) unstable; urgency=medium
.
* New upstream version 0.0~git20241127.c0fbc7e:
- Introduce "local mode" for disconnected setups:
containers/podman#24614
- Add support for DHCP option 80 (Rapid Commit) and honour DHCP
"broadcast" flag
.
passt (0.0~git20241121.238c69f-1) unstable; urgency=medium
.
* New upstream version 0.0~git20241121.238c69f:
- Send periodic unsolicited router advertisements to avoid losing
SLAAC routes after ~18 hours:
kubevirt/kubevirt#13191
- Properly handle TCP keep-alive segments:
containers/podman#24572
.
passt (0.0~git20241030.ee7d0b6-1) unstable; urgency=medium
.
* New upstream version 0.0~git20241030.ee7d0b6:
- Fix occasional hang on TCP loopback path after the receiving
buffer fills up:
containers/podman#24219
- By default, don't expose loopback-only services in container:
containers/podman#24045
- Add --dns-host option to configure host side nameserver:
https://bugs.passt.top/show_bug.cgi?id=102
- Add --frebind option to enable IP_FREEBIND on sockets:
https://bugs.passt.top/show_bug.cgi?id=101
.
passt (0.0~git20240906.6b38f07-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240906.6b38f07:
- Fix possible EPOLLRDHUP event storms with half-closed TCP
connections, leading to periods of high CPU load:
containers/podman#23686
https://bugs.passt.top/show_bug.cgi?id=94
- Fix possible EPOLLERR event storms with UDP flows:
https://bugs.passt.top/show_bug.cgi?id=95
.
passt (0.0~git20240821.1d6142f-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240821.1d6142f:
- Allow currently needed set of system calls for i386 and armhf in
seccomp profiles (Closes: #1078981)
- Introduce --map-host-loopback and --map-guest-addr options to
reach the host using arbitrary addresses, using either loopback
or the guest/container address as source
.
passt (0.0~git20240814.61c0b0d-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240814.61c0b0d:
- Avoid triggering an ASSERT() checking that the port isn't zero
when the container sends a TCP packet to port zero
.
passt (0.0~git20240806.ee36266-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240806.ee36266:
- Fix possible TCP transfer hang on local pasta(1) connections:
containers/podman#23517
.
passt (0.0~git20240726.57a21d2-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240726.57a21d2:
- Unified flow table for all flow types (TCP, UDP, ICMP), with the side
effect of fixing possible inconsistencies in UDP source port tracking
- Forwarding for DNS queries over TCP and DNS over TLS (dot) now supported
.
passt (0.0~git20240624.1ee2eca-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240624.1ee2eca:
- Outbound connections now work when ip_non_local_bind sysctls are set:
containers/podman#23003
- Start even if we have multiple interfaces but no default routes:
https://bugzilla.redhat.com/show_bug.cgi?id=2277954
- Fix duplicating routes to containers with 'noprefixroute' addresses:
containers/podman#22824
- Don't fail to duplicate routes originated from OSPF daemons:
containers/podman#22960
- Always log to standard error during initialisation, and if in foreground
- Fix UDP port forwarding with different original and target ports:
https://bugs.passt.top/show_bug.cgi?id=80 was reintroduced and has been
fixed again
.
passt (0.0~git20240607.8a83b53-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240607.8a83b53, most notable fix:
avoid triggering an assertion if container or guest try to access
an unreachable port using the address of the default gateway
(containers/podman#22925)
.
passt (0.0~git20240523.765eb0b-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240523.765eb0b
.
passt (0.0~git20240426.d03c4e2-1) unstable; urgency=medium
.
* Actually install pasta's AppArmor profile from passt.install
* debian/control: Bump standards version from 4.6.2 to 4.7.0
* New upstream version 0.0~git20240426.d03c4e2
.
passt (0.0~git20240326.4988e2b-1) unstable; urgency=medium
.
* debian/rules: Include pkg-info.mk
* New upstream version 0.0~git20240326.4988e2b: never send TCP
segments with none of ACK, SYN or RST flags to avoid unexpected
connection resets (containers/podman#22146)
.
passt (0.0~git20240320.71dd405-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240320.71dd405, most notable fix:
pasta(1) hang on start-up with Linux kernel versions 6.9 and later
* debian/rules: It's DEB_VERSION_UPSTREAM, not DEB_UPSTREAM_VERSION
.
passt (0.0~git20240220.1e6f92b-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240220.1e6f92b:
- pasta(1) now quits as expected once the container goes away when
used as network back-end for buildah(1)
- fix possible mix-up of ports for UDP outbound flows originating
from -U outbound forwarding option
.
passt (0.0~git20240216.08344da-1) unstable; urgency=medium
.
* New upstream version 0.0~git20240216.08344da:
- default gateway can now be sourced from host multipath routes as
well
- on failure of the inotify watch used by pasta to exit when a
nsfs-bound namespace, fall back to a simple timed check
.
passt (0.0~git20231230.f091893-1) unstable; urgency=medium
.
* New upstream version 0.0~git20231230.f091893:
- increase lifetime for router and prefix validity in router
advertisements to maximum allowed values
- pick most specific IPv6 global unicast address (via netlink) for
guest configuration, if multiple addresses are available
.
passt (0.0~git20231204.b86afe3-1) unstable; urgency=medium
.
* New upstream version 0.0~git20231204.b86afe3
* Fixes build warnings on 32-bit architectures due to mismatching
format specifiers
.
passt (0.0~git20231107.74e6f48-1) unstable; urgency=medium
.
* New upstream version 0.0~git20231107.74e6f48
* Most notable fixed issue: DNS resolution stopped working after a
relatively long time, https://bugs.passt.top/show_bug.cgi?id=57
* debian/rules: 'host' is the machine we're building for, not 'build'
.
passt (0.0~git20231004.f851084-1) unstable; urgency=medium
.
* New upstream version 0.0~git20231004.f851084
* Most notable fix: workaround to trigger TCP window update in kernel
after it was reported empty, on socket side, very visible with
default values for rmem_max and wmem_max
(https://bugs.passt.top/show_bug.cgi?id=74)
.
passt (0.0~git20230908.05627dc-1) unstable; urgency=medium
.
* debian/rules: Pass DEB_BUILD_GNU_CPU to Makefile, not DEB_BUILD_ARCH
* debian/rules: Override pasta symbolic links with hard links
* debian/rules: Install new pasta profile using dh_apparmor
* New upstream version 0.0~git20230908.05627dc
.
passt (0.0~git20230823.a7e4bfb-1) unstable; urgency=medium
.
* New upstream version 0.0~git20230823.a7e4bfb
* Several fixes for pasta --config-net operation, most importantly:
don't copy lifetime information of addresses from host, avoid
unexpected expiration of IPv4 addresses
.
passt (0.0~git20230627.289301b-1) unstable; urgency=medium
.
* New upstream version 0.0~git20230627.289301b
* Update licensing information to new licensing terms from upstream
(GPLv2+ instead of AGPLv3+)
* Fix cross-build in Debian package itself by overriding TARGET via
dh_auto_install with target architecture
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.