Skip to content

Fix local container sidecar routing#6791

Open
iGmainC wants to merge 1 commit into
cloudflare:mainfrom
iGmainC:codex/fix-container-sidecar-local-routing
Open

Fix local container sidecar routing#6791
iGmainC wants to merge 1 commit into
cloudflare:mainfrom
iGmainC:codex/fix-container-sidecar-local-routing

Conversation

@iGmainC
Copy link
Copy Markdown

@iGmainC iGmainC commented Jun 1, 2026

What this fixes

Fixes #6790.

Local container startup could time out when the container egress sidecar was enabled. The failure showed up as repeated readiness-check aborts and, in some cases, a kj/timer.c++:30 timeout before the application container appeared usable from the Worker.

Root cause

In local Docker mode, workerd previously used the sidecar's host-published ingress port for several local control and data paths:

  • reading the sidecar CA certificate from /ca
  • updating the sidecar /egress configuration
  • connecting to application container ports through DockerPort::connect()

That host-to-published-port route is not reliable with proxy-everything's transparent proxying rules. Host-originated traffic to the published sidecar ingress port can be intercepted by the sidecar's TPROXY setup and hang instead of reaching the intended sidecar control endpoint or application port.

The application container and the Sandbox server can be healthy, but workerd's local readiness path still times out because it is probing through the affected host-published sidecar route.

Solution

This changes the local Docker implementation to avoid host-originated requests to the sidecar's published ingress port:

  • read the sidecar CA certificate with Docker's archive API from /ca/ca.crt
  • update /egress by running a small Docker exec inside the sidecar and sending the request to 127.0.0.1:39001 from inside that container
  • bridge application port connections by running nc 127.0.0.1:<port> inside the sidecar network namespace, where 127.0.0.1:<port> reaches the application container because it shares the sidecar network namespace

Docker exec attach streams are multiplexed when TTY is disabled, so the port bridge now wraps the stream and exposes stdout frames as the raw TCP byte stream.

Tests

  • bazel test //src/workerd/server:container-client-test@
  • bazel build //src/workerd/server:workerd
  • Verified the minimal Sandbox terminal reproduction with the rebuilt workerd binary. The WebSocket terminal opens and returns command output from /workspace.

@iGmainC iGmainC requested review from a team as code owners June 1, 2026 08:40
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 1, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@iGmainC
Copy link
Copy Markdown
Author

iGmainC commented Jun 1, 2026

I have read the CLA Document and I hereby sign the CLA

github-actions Bot added a commit that referenced this pull request Jun 1, 2026
@github-actions
@iGmainC has signed the CLA in #6791
fcc5215
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Local Container readiness times out before app container starts when using Sandbox terminal

1 participant

@iGmainC