Skip to content

Subscribe to container engine API for published ports #4021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Subscribe to container engine API for published ports #4021

wants to merge 1 commit into from
+1,501 −60

Conversation

Nino-K
Copy link
Contributor

@Nino-K Nino-K commented Sep 10, 2025

This PR aims to capture the published ports within the VM for various container engines. It directly subscribes to the corresponding container engine APIs (Docker, containerd and Kubernetes) to detect published ports immediately as a container is created.

I'm also planning to move the iptables and procnet settings under the portMonitor property; however, that will be addressed in a follow-up PR.

@AkihiroSuda
Copy link
Member

Seems overengineering.
What is the problem with the existing event watcher?

AkihiroSuda
AkihiroSuda reviewed Sep 11, 2025
View reviewed changes
go.mod Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Too many new dependencies

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, there are many indirect dependencies being used for just a few direct ones. However, I went ahead and compared the guest agent sizes from the master build and my PR, and I’m happy to share the results below:

total 231384
-rw-r--r--  1 ninok  wheel    55M Sep 11 10:27 guestagent_master
-rw-r--r--  1 ninok  wheel    58M Sep 11 10:26 guestagent_pr

AkihiroSuda
AkihiroSuda reviewed Sep 11, 2025
View reviewed changes
pkg/guestagent/events/containerd_linux.go
return ipPorts, nil
}
// If the label is not present, we check the network config in the following path:
// <DATAROOT>/<ADDRHASH>/containers/<NAMESPACE>/<CID>/network-config.json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file isn't expected to be parsed externally

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the issue is that since containerd/nerdctl#4290 the information is no longer available via labels. How are you expected to get the port mapping information?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The expectation is not to depend on container engine implementations; audit events or eBPF should work (see my comments below)

@jandubois
Copy link
Member

Seems overengineering. What is the problem with the existing event watcher?

There are no event watchers for docker or containerd; we rely on polling /proc/net/tcp every couple of seconds (3?), so there is always a delay between the container opening a port and it being forwarded to the host.

See e.g. abiosoft/colima#71

This PR is basically a port of the event watchers from Rancher Desktop on Windows, which does not suffer from this issue.

@AkihiroSuda
Copy link
Member

we rely on polling /proc/net/tcp every couple of seconds (3?), so there is always a delay between the container opening a port and it being forwarded to the host.

We also monitor audit events:

lima/pkg/guestagent/guestagent_linux.go

Line 33 in 69538a7

auditClient, err := libaudit.NewMulticastAuditClient(nil)

Maybe the audit monitor has a bug ?

@AkihiroSuda
Copy link
Member

There is also a proposal to use eBPF to monitor ports

cc @balajiv113

@Nino-K
Copy link
Contributor Author

Nino-K commented Sep 11, 2025

Seems overengineering. What is the problem with the existing event watcher?

In addition to what @jandubois also pointed out, the current implementation
of the port collection mechanism uses a 3-second polling ticker, although this is configurable. However, this PR subscribes directly to the APIs, allowing port exposure events to be handled more immediately.

@jandubois
Copy link
Member

This PR is in response to #2536

I thought I read a note from @balajiv113 that the audit approach didn't work out because most cloud images did not have the required kernel modules for it installed, but can't find the reference right now.

And #3067 also sounds like it doesn't work anymore for Kubernetes.

@jandubois
Copy link
Member

#1855 may explain why audit monitoring doesn't seem to work.

@Nino-K
Subscribe to container engine API for published ports
2a0d45d 
Monitor container creation and deletion events by subscribing to the container engine's API.
Upon receiving a container creation or deletion event, the system immediately forwards the
port mappings through the aggregated channel. This ensures that the ports are opened on the
host without any latency.

Signed-off-by: Nino Kodabande <[email protected]>
@jandubois jandubois mentioned this pull request Sep 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jandubois jandubois jandubois left review comments

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
status/more-info-needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Nino-K @AkihiroSuda @jandubois