Add pasta networking mode by sbrivio-rh · Pull Request #16141 · containers/podman

Conceptually equivalent to networking by means of slirp4netns(1),
with a few practical differences:

- pasta(1) forks to background once networking is configured in the
  namespace and quits on its own once the namespace is deleted:
  file descriptor synchronisation and PID tracking are not needed

- port forwarding is configured via command line options at start-up,
  instead of an API socket: this is taken care of right away as we're
  about to start pasta

- there's no need for further selection of port forwarding modes:
  pasta behaves similarly to containers-rootlessport for local binds
  (splice() instead of read()/write() pairs, without L2-L4
  translation), and keeps the original source address for non-local
  connections like slirp4netns does

- IPv6 is not an experimental feature, and enabled by default. IPv6
  port forwarding is supported

- by default, addresses and routes are copied from the host, that is,
  container users will see the same IP address and routes as if they
  were in the init namespace context. The interface name is also
  sourced from the host upstream interface with the first default
  route in the routing table. This is also configurable as documented

- sandboxing and seccomp(2) policies cannot be disabled

- only rootless mode is supported.

See https://passt.top for more details about pasta.

Also add a link to the maintained build of pasta(1) manual as valid
in the man page cross-reference checks: that's where the man page
for the latest build actually is -- it's not on Github and it doesn't
match any existing pattern, so add it explicitly.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Currently, wait_for_port() duplicates the check logic implemented by
port_is_free().

Add an optional argument to port_is_free(), representing the bound
address to check, and call it, dropping the direct check in
wait_for_port().

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

…d protocol

Using bash /dev/tcp/ pseudo-device files to probe for bound ports has
indeed the advantage of simplicity, but comes with a few drawbacks:

- it will actually send data to unsuspecting services that might be
  running in the same network namespace as the tests, possibly
  causing unwanted interactions

- it doesn't allow for UDP probing

- it makes it impossible to clearly distinguish between different
  address bindings

Replace that approach with a new helper, port_is_bound(), that uses
procfs entries at /proc/net to detect bound ports, without the need
for active probing.

We can now implement optional parameters in callers, to check if a
port if free for binding to a given address, including any IPv4
(0.0.0.0) or any IPv6 (::0) address, and for a given protocol, TCP
or UDP.

Extend random_free_port() and random_free_port_range() to support
that.

The implementation of one function in the file
test/system/helpers.bash, namely ipv6_to_procfs(), and the
implementation of the corresponding own test, delimited by the
markers "# BEGIN ipv6_to_procfs" and "# END   ipv6_to_procfs" in the
file test/system/helpers.c was provided, on the public forum at:

  #16141

by Ed Santiago <santiago@redhat.com>, who expressly invited me to
include them in this code submission.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

The main helpers.bash file is rather bloated and it's difficult to
find stuff there. Move networking functions to their own helper
file.

While at it, apply a consistent style, and rearrange logically
related functions into sections.

Suggested-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

These tests should cover all the basic networking functionality with
pasta(1). Namely, they check:

- IPv4 and IPv6 addressing and routing settings

- TCP and UDP port forwarding over IPv4 and IPv6

- data transfers and ICMP/ICMPv6 echo requests

- the (exceedingly simple) lifecycle handling

These tests need some new helpers, to obtain IPv4 and IPv4 addresses
and routes, as well as MTU and interface names. Those use jq(1) for
parsing.

Some availability checks are implemented as well, to skip tests if
pasta(1) is not available, or if IPv4 and IPv6 are not usable.

To get consistent outcomes across distributions, and to enable
uncomplicated termination for UDP tests based on zero-sized packets,
use socat(1), which, unlike netcat, doesn't suffer from option
inconsistencies depending on flavours (traditional, BSD, NMAP) and
versions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

…than binds

_test_skopeo_credential_sharing() used port_is_free() to check if a
port has no active listeners. With the new implementation, this is
not equivalent anymore: a port might be in TIME_WAIT, so it's not
free, but the listener might be long gone.

Add tcp_port_probe() to check if there's an active listener on a
given port, and use it in _test_skopeo_credential_sharing().

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>