[Podman] Re: don't understand how ip work in rootless mode

Hi Mikhaël, I created some slides[1] last year to explain how rootless networking works. > However I wanted to ask (if I can) about rootless design : by > default, servers working with ports below 1024 can only run root > mode. The system can however be configured to overcome that, but I > guess that if there is this protection by default it is for a good > reason, even if I don't know it. So the ports I expose, outside the > pod, on the local host of my ubuntu host, are always > 1024. For > example, let's say I use the :80 inside a container with nginx. I do > expose it as :10080. Then, to get nginx on port :80 of the physical > network card, I do it IP tables, that I configure in root mode of > course. Is it a good practice or is it unusefully "complex" ? Or is > there any better practice to do that ? I think redirecting with iptables or some other firewall frontend is fine. [1] <https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Netw... Paul On Fri, Sep 9, 2022 at 7:29 PM Mikhaël MYARA <mikhael.myara(a)ies.univ-montp2.fr <mailto:mikhael.myara@ies.univ-montp2.fr>> wrote: > Chris, Thanks a lot for your answer ! > > I finally understood that with podman the concept of "pod" + exposed > ports solved what I wanted to do, it works perfectly : at the time I > did write the first email, I used podman exactly like I used docker > and didn't know about "pods". It is of course a bit frustrating not > to have understood these differend kinds of network managements, in > root or rootless mode, but at the moment it is not a real problem > for what I do work on. I guess my knowledge of networks in root or > user mode with linux is too superficial, and that fact explains my > problems with that. But again, I have a practical solution : pods, > that solves perfectly my problem. > > So everythinkg is ok for me. To answer your question, I work on > ubuntu 22.04 with the last supported version for ubuntu, that is > podman 3.3.4. But for the time being, my problem is solved. > > However I wanted to ask (if I can) about rootless design : by > default, servers working with ports below 1024 can only run root > mode. The system can however be configured to overcome that, but I > guess that if there is this protection by default it is for a good > reason, even if I don't know it. So the ports I expose, outside the > pod, on the local host of my ubuntu host, are always > 1024. For > example, let's say I use the :80 inside a container with nginx. I do > expose it as :10080. Then, to get nginx on port :80 of the physical > network card, I do it IP tables, that I configure in root mode of > course. Is it a good practice or is it unusefully "complex" ? Or is > there any better practice to do that ? > > Best Regards, > Mike > > Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich > <cevich(a)redhat.com <mailto:cevich@redhat.com>> a écrit : >> >> I think perhaps nobody's replied because we don't have enough >> environment details. Such as what OS and version, and what version >> of >> podman is this. It looks like you're using CNI networking, so I'm >> guessing this is an older version of podman. >> >> In any case, I am not an expert in these things. But I do find it >> odd >> that you would need/want to use the main 'podman' bridge as a >> rootless >> user in this way. Normally rootless networking works quite well >> with >> slirp4netns. So perhaps figuring out why it's not, is a good >> starting >> place? >> >> Otherwise, more details about the environment and what you're >> trying to >> accomplish would help us answer your questions better. >> >> >> Chris Evich (he/him), RHCA III >> Senior Quality Assurance Engineer >> Nearly all opportunities, can only be achieved in the future. >> >> On 8/23/22 09:19, Mikhaël MYARA wrote: >>> Dear all, >>> >>> I started with Docker a few weeks ago and understood security >>> issues >>> coming from the root daemon. I saw that podman was close to Doker >>> (and >>> it is true, my Dockerfiles worked without modification) and solved >>> this >>> security issue. >>> >>> With podman, things work well as long as I use my images / >>> containers >>> in root mode, using sudo. However nothing works in user mode. >>> >>> I guess that for security reasons, it would be better, by far, >>> to run >>> containers in user mode. And I cannot understand how it works. >>> >>> In root mode, typing "ip a" exhibits an eth0 network card, >>> with an >>> ip. And when I use this ip with the considered port fron the >>> outside of >>> the container (i.e. from the main OS), it works >>> In rootless mode, the same command gives a tap0 interface >>> instead, >>> with another ip on another sob network I guess. >>> >>> now if I force the usage of the podman network (in rootless >>> mode), >>> with --network podman, now I get a eth0 network interface, on the >>> same >>> sub network as in root mode. It seems to correspond to the >>> cni-podman0 >>> network on the host OS. >>> However, when I do : >>> telnet 10.88.0.02 8080 >>> from the podman container, it works, whereas from the host OS, it >>> does >>> not work, whereas the interface responds to ping from the host. >>> Can someone help ? >>> >>> Regards, >>> Mike >>> >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> <mailto:podman@lists.podman.io> >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> <mailto:podman-leave@lists.podman.io> >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> <mailto:podman@lists.podman.io> >> To unsubscribe send an email to podman-leave(a)lists.podman.io >> <mailto:podman-leave@lists.podman.io> > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > <mailto:podman@lists.podman.io> > To unsubscribe send an email to podman-leave(a)lists.podman.io > <mailto:podman-leave@lists.podman.io>