podman开机自启
podman网络
rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口
防火墙
防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。
容器间通信案例:
[root@localhost ~]# podman run -it --name test docker.io/library/busybox:latest /bin/sh // 启动一个test容器
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 52:88:dc:58:af:08 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5088:dcff:fe58:af08/64 scope link
valid_lft forever preferred_lft forever
// 再启动一个test1的容器
[root@localhost ~]# podman run -it --name test1 docker.io/library/busybox:latest /bin/sh
/ # ping -c2 10.88.0.2
PING 10.88.0.2 (10.88.0.2): 56 data bytes
64 bytes from 10.88.0.2: seq=0 ttl=64 time=0.087 ms
64 bytes from 10.88.0.2: seq=1 ttl=64 time=0.080 ms
--- 10.88.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.080/0.083/0.087 ms
// 启动一个容器就会在宿主机上启动一个veth类型的网卡,当容器停止运行就会关闭
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:e4:2b:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.71.134/24 brd 192.168.71.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee4:2b70/64 scope link
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ca:18:8f:f7:90:cc brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::c818:8fff:fef7:90cc/64 scope link
valid_lft forever preferred_lft forever
4: veth068c0b11@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 6a:b9:83:ce:04:eb brd ff:ff:ff:ff:ff:ff link-netns cni-9fe9f57d-2a01-c3fe-4dfa-a0d2213ff9a1
inet6 fe80::68b9:83ff:fece:4eb/64 scope link
valid_lft forever preferred_lft forever
5: vethb5141e5a@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 7e:d1:e5:fe:28:15 brd ff:ff:ff:ff:ff:ff link-netns cni-4d8b67ae-52cd-b9c9-3f58-d56ccd1d70c7
inet6 fe80::7cd1:e5ff:fefe:2815/64 scope link
valid_lft forever preferred_lft forever
查看防火墙规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
// 运行容器测试
// 当运行一个容器之后就会自动给容器添加一个规则,并放行其端口号
[root@localhost ~]# podman run -d -p 80:80 --name web --rm docker.io/library/httpd
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-221138b7a7c984de5db72 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "2a378d287e05363c44bcd4bddbf62bcdaa59dbf58b52dfe413c66051e94af9d8" */ multiport dports 80
[root@localhost ~]# podman inspect -l | grep -i address //查看容器的IP地址
"IPAddress": "10.88.0.6",
"GlobalIPv6Address": "",
"MacAddress": "32:5f:7b:f4:53:ad",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.6",
"GlobalIPv6Address": "",
"MacAddress": "32:5f:7b:f4:53:ad",
[root@localhost ~]# curl 10.88.0.6 //访问测试
<html><body><h1>It works!</h1></body></html>
容器的开机自启
[root@localhost ~]# podman create --name nginx nginx:latest
dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954
[root@localhost ~]# podman generate systemd --restart-policy=always -t 2 nginx //生成nginx的service文件
# container-dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954.service
# autogenerated by Podman 3.4.1-dev
# Tue Dec 14 23:31:26 CST 2021
[Unit]
Description=Podman container-dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=always
TimeoutStopSec=62
ExecStart=/usr/bin/podman start dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954
ExecStop=/usr/bin/podman stop -t 2 dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954
ExecStopPost=/usr/bin/podman stop -t 2 dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954
PIDFile=/run/containers/storage/overlay-containers/dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954/userdata/conmon.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
[root@localhost ~]# podman generate systemd --files --name nginx //为指定的容器生成service文件
/root/container-nginx.service
[root@localhost ~]# cp container-nginx.service /usr/lib/systemd/system/ //将生成的service文件移动到此目录下去
[root@localhost ~]# systemctl daemon-reload //重新加载
[root@localhost ~]# systemctl start container-nginx.service // 启动服务并查看状态
[root@localhost ~]# systemctl status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-15 09:41:19 CST; 3s ago
Docs: man:podman-generate-systemd(1)
Process: 11826 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCCESS)
Main PID: 11912 (conmon)
Tasks: 3 (limit: 11201)
Memory: 4.1M
[root@localhost ~]# systemctl enable --now container-nginx.service //设置开机自启
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
浙公网安备 33010602011771号