Podman在桥接网络上主机和容器之间没有网络连接。

huangapple go评论92阅读模式
英文:

Podman no network connectivity between host machine and container on bridge network

问题

我想要能够从运行它们的 RHEL 8 主机机器上对我的 podman 容器进行 ping。

我使用 'podman network create' 命令创建了一个 podman 桥接网络。
桥接网络的 IP 地址是 10.1.2.0/24,网关为 10.1.2.1,网络上有两个容器主机:10.1.2.5 和 10.1.2.6。

在任何一个容器内部,我都能够 ping 另一个容器,并通过桥接访问互联网。然而,我无法从主机机器 ping 任何一个容器。我尝试在主机机器上创建一个虚拟桥接接口,并将桥接网络的网关 IP 地址分配给虚拟接口,但这也没有起作用。我感到困惑,找不到答案。谢谢。

英文:

I want to be able to ping my podman containers from the RHEL 8 host machine that's running them.

I created a podman bridged network with the 'podman network create' command.
The bridged network is 10.1.2.0/24 with a gateway of 10.1.2.1 and two container hosts on the network: 10.1.2.5 and 10.1.2.6.

From within either container, I am able to ping the other container as well as access the internet through the bridge. However, I cannot ping either container from the host machine. I tried creating a virtual bridge interface on the host machine and assigning the IP address of the bridged network's gateway to the virtual interface, but, this also didn't work. I am at a loss and can't find the answer. Thank you.

答案1

得分: 0

您无法从主机上ping通无根容器。与以root启动的容器不同,无根容器没有"真实"网络接口;它们具有由slirp4netns应用程序管理的软件接口。

提供无根容器入站访问的唯一方法是使用端口发布。也就是说,如果您在无根容器中运行Web服务器,并希望从主机访问它,您可以运行类似以下命令:

podman run -p 8080:80 myimage

这将使容器内部运行的端口80的Web服务器在主机上的端口8080上可用。

例如,如果我这样启动一个容器:

podman run --name webserver -d --rm docker.io/alpinelinux/darkhttpd

我们可以看到podman已启动了相应的slirp4nets进程:

$ ps -fe |grep slirp4netns
lars       83079    3115  0 14:14 pts/2    00:00:00 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/netns-c8c1a75a-f2fb-ed7e-5f4b-8bc15766d05d tap0

在运行的容器内有一个tap接口;该接口连接到slirp4netns进程,负责在容器和主机/外部世界之间转发流量。

英文:

You cannot ping rootless containers from your host. Unlike containers started as root, rootless container don't have "real" network interfaces; they have software interfaces that are managed by the slirp4netns application.

The only way to provide inbound access to rootless containers is using port publishing. That is, if you're running a web server in a rootless container and you want to access it from your host, you run something like:

podman run -p 8080:80 myimage

Which would make a webserver running on port 80 inside the container available on host port 8080.


For example, if I start a container like this:

podman run --name webserver -d --rm docker.io/alpinelinux/darkhttpd

We see that podman has started the a corresponding slirp4nets process:

$ ps -fe |grep slirp4netns
lars       83079    3115  0 14:14 pts/2    00:00:00 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/netns-c8c1a75a-f2fb-ed7e-5f4b-8bc15766d05d tap0

Inside the running container is a tap interface; that interface is connected to the slirp4netns process, which is responsible for forwarding traffic between the container and the host/outside world.

huangapple
  • 本文由 发表于 2023年7月28日 01:37:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76782225.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定