From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kBl2JhqDvl+ILQAA0tVLHw (envelope-from ) for ; Wed, 25 Nov 2020 16:15:22 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4GJPIhqDvl/VCAAAB5/wlQ (envelope-from ) for ; Wed, 25 Nov 2020 16:15:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0B9A19402A7 for ; Wed, 25 Nov 2020 16:15:21 +0000 (UTC) Received: from localhost ([::1]:45014 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khxRu-0002HQ-FE for larch@yhetil.org; Wed, 25 Nov 2020 11:15:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:57310) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khxRl-0002GD-3J for help-guix@gnu.org; Wed, 25 Nov 2020 11:15:09 -0500 Received: from mail-ed1-x532.google.com ([2a00:1450:4864:20::532]:34009) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khxRi-0003HO-QW for help-guix@gnu.org; Wed, 25 Nov 2020 11:15:08 -0500 Received: by mail-ed1-x532.google.com with SMTP id a15so3160603edy.1 for ; Wed, 25 Nov 2020 08:15:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CFmqWVxl+97KLrN7MoFP0wg/iakT4tuaacgLFT3CiZs=; b=j1ex+1viN+AjmJMpjQz4EwoSsxGPBx7zvUTWHZT1IydhxTL7Cw1QrAZxsKvZmHA4tv VU8NLyWVbdo332coh9/7Lf4Bz6ZNRlHOOcJyY8LtbVOKlTRZIXSNq6jw7p/shddlDzDq MjaDpzWIn/fnkt0/aSSQZQe1qyFXFDRW7an+hCfIOHMvj7A06ahQClxZWNtRRkVzVSqa zA1eXaYyY6re/IepaIIB8JrfmBOZ5UJ1FBrB1112mdCnKfA8ub0eQ/VLjObGZ0VWOFs/ wwQyWZS3thFX1g2Nq+MPvt0EjjaXWvnqP/yTCBKx05zEunE6ild79s/kOs7IYCTG5kBb gmqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CFmqWVxl+97KLrN7MoFP0wg/iakT4tuaacgLFT3CiZs=; b=eWEgF/dqQlj9LA/8ZKBogQPLanS5xRRWowuJmZmIP54vDgm7YCDJCRutmvpoF7+UOR ElGFcTXYW/RUaTII/wuAf3dpHOB6LBBQAqDtW78+Iiio5Pmfo+3vTYPi9rCPDh5B9SbZ KTAkQtbU2LEC2qXA1xRp3FzfzNUNm+7f4bi+T2L9LpBLjehxE7TtstTZI48FePTTBstG 0hmvQ29Y8emlyfWRQ9uM6ygp8glcv5ZtmCSi8R+34Nrm5o+GgEk+b+w81aBlcfp2Zv73 g1vPCdzlsV1IXPthEU8ut26xTMK3PXUgr9LLv0Y/fYp7y/PLd5azP/DxEpZu9mxCFLJk BRQA== X-Gm-Message-State: AOAM531GlF2/WKTqtGc1yGqHYscJzzyXwm6b2e1E0DCLl3M7qYAhBkov SK2wqElDzz/kGDWWJcrpSM1WihgX9Z+CSUbVI6I= X-Google-Smtp-Source: ABdhPJxCZnct82tYuVizy9NV5240Jxw2SUxif15SwPnArVjkyuqyV4IwqZtG8h/6GcJtUZQ3Xy26jh5qPY/e+Gm+V3o= X-Received: by 2002:a50:9fcb:: with SMTP id c69mr4167068edf.289.1606320904047; Wed, 25 Nov 2020 08:15:04 -0800 (PST) MIME-Version: 1.0 References: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> <871rgnltiv.fsf@cbaines.net> <86r1omkbgk.fsf@gmail.com> <86lfesjb6q.fsf@163.com> In-Reply-To: <86lfesjb6q.fsf@163.com> From: Jason Conroy Date: Wed, 25 Nov 2020 11:14:27 -0500 Message-ID: Subject: Re: Port forwarding for Guix containers To: Zhu Zihao Received-SPF: pass client-ip=2a00:1450:4864:20::532; envelope-from=conjaroy@gmail.com; helo=mail-ed1-x532.google.com X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=j1ex+1vi; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: JMKSMLSWIO4O Hi Zihao, It sounds like you're running Guix for your host OS and want to have Guix containers inside of that? If that's so, then my existing config won't be much use to you: right now I'm running my Guix containers (the `guix system container` shell scripts) inside of Debian via systemd. But in case it helps, I think this is how you could approximate what "docker run --network --publish ..." does: 1) Create a persistent network namespace with `ip netns add`. 2) Use `ip link add` to create a pair of virtual ethernet interfaces (veth) - one for the host and one for the container. 3) Use `ip link set netns ` so that one of the veth interfaces appears inside of the namespace, while its peer remains on the host side. 4) Assign each of the veth interfaces an address in the same subnet, but choose a subset that's unused on your system. For example, 192.168.0.1 and 192.168.0.2 within the subnet 192.168.0.0/24. 5) Bring up the interfaces with `ip link set up`. Do the same for the loopback interface (lo) inside the namespace. 6) Inside the namespace, set up a default route using the address of the veth interface on the host side. 7) Use iptables to configure source network address translation (SNAT) for the traffic originating from the namespace so that it can connect to external hosts (e.g. via eth0). 8) Enable IP forwarding: set /proc/sys/net/ipv4/ip_forward to 1, and add related rules to iptables' FORWARD chain (if your default iptables policy is to DROP packets). 9) Finally, use iptables again to enable port forwarding (DNAT) from external hosts to your container. Here, "do X inside of a namespace" usually means `ip netns exec `. When the command is /bin/bash you can explore the namespace's environment interactively. The namespace persists until you call `ip netns del `. With the exception of #9, there are examples of each task in the script I mentioned up-thread: https://gist.github.com/dpino/6c0dca1742093346461e11aa8f608a99#file-ns-inet-sh For my purposes, dynamic configuration of namespaces, interfaces, routes, etc. (like Docker does) seems unnecessarily complicated and fragile, so I've taken the approach of setting up my namespaces once at boot, and then the container startup script is as simple as `ip netns exec `. Even when the Guix container itself shuts down and restarts, the namespace settings above are unchanged. How would these network settings be implemented using Guix services? I don't have experience in this area, so the following is just a guess: iptables-service seems suitable for tasks #7 - #9, and there's static-networking-service for assigning addresses in task #4 (but I think it will only know about the veth interface outside the namespace, not the one inside). For the rest, I think you'd need to define some new service to set up the namespace and virtual interfaces, and ensure that this service runs before static-networking-service. Hope that helps, Jason On Mon, Nov 23, 2020 at 11:22 AM Zhu Zihao wrote: > > That's what I want to say, thank you! > > I want to combine different software in containers in docker-compose > like way. It's more similar with a system container then a `guix > environment` container. > > I'm not a Docker hater, but docker will corrupt your iptables entry and > make the system impure. If you wanna use iptables-service-type and > docker-service-type together, when you run `herd restart iptables`. All > docker specific rules will be erased. > > > Supposing that we've developed some system container that starts a > service > > on port N. If we want to run another instance of the same container, we > > first need to override the port number for the service in our > > operating-system, otherwise the service in the second container will fail > > to bind to port N in the shared network namespace. With a couple of > > one-service containers this may not be so hard, but system containers in > > general could have lots of services, and the authors of individual > > containers may not want to worry about choosing port numbers that are > > mutually disjoint from those in all other containers (and those used by > the > > container host itself). > > -- > Retrieve my PGP public key: https://meta.sr.ht/~citreu.pgp > > Zihao >