如何使用 podman 为无根容器设置内部和外部网络
[英]How to setup internal and external networking for rootless containers with podman
问题描述
I am trying to get networking working with rootless containers using podman.
我正在尝试使用 podman 使网络与无根容器一起工作。 Getting either external networking up and running or internal networking is not the issue.启动并运行外部网络或内部网络都不是问题。 Using the --network option, containers are able to see each other.使用 --network 选项,容器可以看到彼此。 However ping 8.8.8.8 does not work.但是 ping 8.8.8.8 不起作用。 Starting containers without --network or with --network=slirp4netns ping 8.8.8.8 does work as expected.在没有 --network 或 --network=slirp4netns ping 8.8.8.8 的情况下启动容器确实按预期工作。 Of course in the latter case, there is no internal networking.当然在后一种情况下,没有内部网络。 What I think this tells me is that host is not blocking external access from within containers.我认为这告诉我的是主机并没有阻止来自容器内的外部访问。 The issues that I am facing is that I seem to be unable to get both internal and external networking working within containers at the same time.我面临的问题是我似乎无法同时在容器内使内部和外部网络工作。
> podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
6129a34887d3 container-net 0.4.0 bridge,portmap,firewall,tuning,dnsname
I am starting containers like so:我正在启动这样的容器:
podman pod create \
--network container-net \
--network-alias test-pod \
--hostname test-01 \
--name test-pod
Contents of start-test.sh : start-test.sh内容:
podman run --rm -it \
--pod test-pod \
--network=container-net \
--dns-search dns.podman \
--name test-01 \
--network-alias test-01 \
docker.io/alpine /bin/sh
> ./start-test.sh
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
> podman --version
podman version 3.3.1
I have checked that selinux is not the cause by test with: setenforce 0 as well.我已经通过测试检查了 selinux 不是原因: setenforce 0也是如此。
Is it possible to get both internal and external networking working within containers and if so, what does one need to do?是否可以在容器内同时使用内部和外部网络,如果可以,需要做什么?
2 个解决方案
解决方案1
0 2021-10-21 17:36:23
I just tried this on RHEL 8 and I was able to reproduce this issue.我刚刚在 RHEL 8 上尝试了这个,我能够重现这个问题。 We also figured out the issue (I think).我们也解决了这个问题(我认为)。 Try the following:请尝试以下操作:
sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"须藤 sysctl -w net.ipv4.ping_group_range="0 2147483647"
You might be being limited by the group range and /etc/subuid /etc/subgid:您可能受到组范围和 /etc/subuid /etc/subgid 的限制:
https://man7.org/linux/man-pages/man7/icmp.7.html https://man7.org/linux/man-pages/man7/icmp.7.html
I'm not sure what the long term solution is yet, but if this works, you can likely fix it with sysctl for now.我不确定长期解决方案是什么,但如果可行,您现在可以使用 sysctl 修复它。
解决方案2
0 已采纳 2021-10-27 19:52:24
The issue I was having was not related to any configuration.我遇到的问题与任何配置无关。 As it turned out after having removed all podman created networks, rebooting the machine and recreating the networks I needed, the containers behave as expected, ie internal and external networking are working.事实证明,在删除所有 podman 创建的网络、重新启动机器并重新创建我需要的网络后,容器的行为符合预期,即内部和外部网络都在工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.