3. podman - networking

由 datahunter 在日, 05/05/2024 - 20:26 發表

最後更新: 2024-05-05

CNI vs Netavark

Podman supports two network backends Netavark and CNI

CNI (https://www.cni.dev/)
Netavark (podman version >= 4)

podman network

建立 network

# Defaults driver(-d) "bridge". 另有 "macvlan" and "ipvlan"

podman network create \
  --subnet 192.168.200.0/24 \
  --ip-range 192.168.200.64/28 \
  --gateway 192.168.200.254 MyNet

查看有什麼 network

podman network ls

NETWORK ID    NAME        DRIVER
8b5962b697d7  MyNet       bridge
2f259bab93aa  podman      bridge

podman network inspect MyNet

...

刪除 Network

podman network rm mybr0

建立 Network 的 Opts

--dns=ip

If not set, the host servers from /etc/resolv.conf is used.

Overwritten: "podman run/create --dns"

--disable-dns

Disables the DNS plugin for this network which if enabled
(plugin can perform container to container name resolution)

--internal

Restrict external access of this network when using a bridge network.

The dnsname plugin will be automatically disabled.

When using the macvlan or ipvlan driver with this option no default route will be added to the container.
(Because it bypasses the host network stack no additional restrictions can be set by podman)

Network type: Macvlan

This interface can configure multiple subinterfaces.

And each subinterface is capable of having its own MAC and IP address.

The container will present itself as if it is on the same network as the host.

i.e.

# --driver, -d

podman network create -d macvlan mybr0

/etc/cni/net.d/mybr0.conflist

# parent: The host device which should be used for the macvlan interface.
# Defaults to the default route interface.

podman network create -d macvlan -o parent=br0 mybr0

cat /etc/cni/net.d/mybr0.conflist

{
   "cniVersion": "1.0.0",
   "name": "mybr0",
   "plugins": [
      {
         "type": "macvlan",
         "master": "br0",
         "ipam": {
            "type": "dhcp"
         }
      }
   ]
}

ipam (IP Address Management Driver)

--ipam-driver=driver

host-local: IP addresses are assigned locally
dhcp
none: No ip addresses are assigned to the interfaces

After POD are created

# Add container to a network

# --ip ip

podman network connect [options] NETWORK CONTAINER

# Remove container from a network

# -f, --force force removal of container from network

podman network disconnect [options] NETWORK CONTAINER

Network & Firewall

Network Mode(podman-run)

--network=mode, --net=mode

bridge
ID
host
private # bridge mode for rootful; slirp4netns for rootless
slirp4nets
container:id # Reuse another container’s network stack.
none

mode: bridge[:OPTS,…] # This is the default for rootful containers.

Create a network stack on the default bridge.

You can use the --network option multiple times to specify additional networks.

Opts

ip=IPv4 # Specify a static ipv4 address for this container
interface_name # Specify a name for the created network interface inside the container
mac=MAC_ADDR

i.e.

--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99

mode: <network name or ID>[:OPTIONS,…]

Connect to a user-defined network;

This is the network name or ID from a network created by "podman network create".

它與 "mode: bridge" 有同樣的 OPTS

mode: host

uses the host network stack

mode: private

Create a new namespace for the container.

This will use the bridge mode for rootful containers and slirp4netns for rootless ones.

rootful and rootless container networking

The default network mode is slirp4netns
(unprivileged users cannot create networking interfaces on the host)

unprivileged users must use ports 1024 through 65535 as lower ports require root privileges.
=> "-p 8080:80"

Slirp4netns creates a TAP device in the container’s network namespace and connects to the usermode TCP/IP stack.

podman exec t1 ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 76:c3:4b:47:74:90 brd ff:ff:ff:ff:ff:ff

One of the drawbacks of slirp4netns is that the containers are completely isolated from each other.

expose 與 publish

expose

--expose=port

Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system.

to set up port redirection on the host system.

publish

--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]

Publish a container’s port, or range of ports, to the host.

If host IP is set to 0.0.0.0 or not set at all, the port will be bound on all IPs on the host.

By default, Podman will publish TCP ports. To publish a UDP port instead, give udp as protocol.

Checking

netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      17053/conmon
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      17053/conmon

conmon = /usr/bin/conmon

--expose vs --publish

1) If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.

2) If you EXPOSE a port, the service in the container is not accessible from outside Docker,

but from inside other Docker containers. So this is good for inter-container communication.

3) If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker. -p includes EXPOSE

List port expose

# port [container|-a] List port mappings for a container

podman port nginx

80/tcp -> 0.0.0.0:80
443/tcp -> 0.0.0.0:443

Firewall

每當 "firewall-cmd --reload" 後. 必須行以下其中一句 CLI !!

podman network reload container-ID

podman network reload --all

podman-gvproxy

It is based on the network stack of gVisor.

Compared to libslirp, gvisor-tap-vsock
brings a configurable DNS server and dynamic port forwarding.

written in pure Go

It running on the host runs a virtual gateway that can be used by the VM

瀏覽次數： 51

夢想家