1:27 p.m.
Chris, Thanks a lot for your answer !
I finally understood that with podman the concept of "pod" + exposed
ports solved what I wanted to do, it works perfectly : at the time I
did write the first email, I used podman exactly like I used docker and
didn't know about "pods". It is of course a bit frustrating not to have
understood these differend kinds of network managements, in root or
rootless mode, but at the moment it is not a real problem for what I do
work on. I guess my knowledge of networks in root or user mode with
linux is too superficial, and that fact explains my problems with that.
But again, I have a practical solution : pods, that solves perfectly my
problem.
So everythinkg is ok for me. To answer your question, I work on ubuntu
22.04 with the last supported version for ubuntu, that is podman 3.3.4.
But for the time being, my problem is solved.
However I wanted to ask (if I can) about rootless design : by default,
servers working with ports below 1024 can only run root mode. The
system can however be configured to overcome that, but I guess that if
there is this protection by default it is for a good reason, even if I
don't know it. So the ports I expose, outside the pod, on the local
host of my ubuntu host, are always > 1024. For example, let's say I use
the :80 inside a container with nginx. I do expose it as :10080. Then,
to get nginx on port :80 of the physical network card, I do it IP
tables, that I configure in root mode of course. Is it a good practice
or is it unusefully "complex" ? Or is there any better practice to do
that ?
Best Regards,
Mike
Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich
<cevich(a)redhat.com> a écrit :
I think perhaps nobody's replied because we don't have enough
environment details. Such as what OS and version, and what version of
podman is this. It looks like you're using CNI networking, so I'm
guessing this is an older version of podman.
In any case, I am not an expert in these things. But I do find it odd
that you would need/want to use the main 'podman' bridge as a rootless
user in this way. Normally rootless networking works quite well with
slirp4netns. So perhaps figuring out why it's not, is a good starting
place?
Otherwise, more details about the environment and what you're trying
to
accomplish would help us answer your questions better.
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
Nearly all opportunities, can only be achieved in the future.
On 8/23/22 09:19, Mikhaël MYARA wrote:
> Dear all,
>
> I started with Docker a few weeks ago and understood security
> issues
> coming from the root daemon. I saw that podman was close to Doker
> (and
> it is true, my Dockerfiles worked without modification) and solved
> this
> security issue.
>
> With podman, things work well as long as I use my images /
> containers
> in root mode, using sudo. However nothing works in user mode.
>
> I guess that for security reasons, it would be better, by far, to
> run
> containers in user mode. And I cannot understand how it works.
>
> In root mode, typing "ip a" exhibits an eth0 network card, with
> an
> ip. And when I use this ip with the considered port fron the
> outside of
> the container (i.e. from the main OS), it works
> In rootless mode, the same command gives a tap0 interface instead,
> with another ip on another sob network I guess.
>
> now if I force the usage of the podman network (in rootless
> mode),
> with --network podman, now I get a eth0 network interface, on the
> same
> sub network as in root mode. It seems to correspond to the
> cni-podman0
> network on the host OS.
> However, when I do :
> telnet 10.88.0.02 8080
> from the podman container, it works, whereas from the host OS, it
> does
> not work, whereas the interface responds to ping from the host.
> Can someone help ?
>
> Regards,
> Mike
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> <mailto:podman@lists.podman.io>
> To unsubscribe send an email to podman-leave(a)lists.podman.io
> <mailto:podman-leave@lists.podman.io>
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
<mailto:podman@lists.podman.io>
To unsubscribe send an email to podman-leave(a)lists.podman.io
<mailto:podman-leave@lists.podman.io>