I recently started play with podman and non-root contaiers and I think I
missed something about networking.
Assume we have such network on host:
--8<---------------cut here---------------start------------->8---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default
qlen 1000
link/ether b4:2e:99:f0:ae:57 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.200/24 brd 192.168.200.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd1b:69d9:9e1d:0:b62e:99ff:fef0:ae57/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::b62e:99ff:fef0:ae57/64 scope link
valid_lft forever preferred_lft forever
23: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN group default qlen 1000
link/ether ce:89:80:01:c8:e6 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::1c6d:52ff:fedb:9d9a/64 scope link
valid_lft forever preferred_lft forever
--8<---------------cut here---------------end--------------->8---
There is not NAT/MASQUERADE rules in nftables.
$podman network inspect podman
[
{
"name": "podman",
"id":
"2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
"driver": "bridge",
"network_interface": "podman0",
"created": "2023-03-29T19:50:55.753738104+02:00",
"subnets": [
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
],
"ipv6_enabled": false,
"internal": false,
"dns_enabled": false,
"ipam_options": {
"driver": "host-local"
}
}
]
I run container with command:
$podman run -ti --log-level debug --network podman --name test test
then in container:
--8<---------------cut here---------------start------------->8---
root@ddc54c227a9d:/# curl onet.pl
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
--8<---------------cut here---------------end--------------->8---
Why container has access outside host?
I would expect that I will have some rules to allow traffic between
podman0 and eth0?
Is it possible to configure this behavior?
Where can I found description for values in "podman network inspect"?
What is difference (in this case) between macvlan and bridge (except
root/non-root)?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html