Podman之Podman容器基础
司浩壤
Podman之Podman容器基础
1. 什么是podman
Podman 原来是 CRI-O 项目的一部分,后来被分离成一个单独的项目叫 libpod。Podman 的使用体验和 Docker 类似,不同的是 Podman 没有 daemon。以前使用 Docker CLI 的时候,Docker CLI 会通过 gRPC API 去跟 Docker Engine 说「我要启动一个容器」,然后 Docker Engine 才会通过 OCI Container runtime(默认是 runc)来启动一个容器。这就意味着容器的进程不可能是 Docker CLI 的子进程,而是 Docker Engine 的子进程。
Podman 比较简单粗暴,它不使用 Daemon,而是直接通过 OCI runtime(默认也是 runc)来启动容器,所以容器的进程是 podman 的子进程。这比较像 Linux 的 fork/exec 模型,而 Docker 采用的是 C/S(客户端/服务器)模型。
2. 安装与使用podman
2.1 安装
[root@podman ~]# dnf -y install podman
//定义别名
[root@podman ~]# alias docker=podman
[root@podman ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
2.2 podman的使用
2.2.1 podman基础命令
search 查找镜像
[root@podman ~]# podman search httpd --filter=is-official //指定查找官方版本的httpd
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 3794 [OK]
podman pull 拉取镜像
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@podman ~]# podman pull docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 44be98c0fab6 done
Copying blob ed835de16acd done
Copying blob e5ae68f74026 done
Copying blob 21e0df283cd6 done
Copying blob 881ff011f1c9 done
Copying blob 77700c52c969 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
podman images 显示所有镜像
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
podman run 运行容器
[root@podman ~]# podman run -it --rm --name nginx docker.io/library/nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
podman ps 列出正在运行的容器
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32955d96f3e4 docker.io/library/nginx:latest nginx -g daemon o... 25 seconds ago Up 25 seconds ago nginx
//如果添加 -a 命令,Podman 将显示所有容器(已创建、已退出、正在运行等)
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32955d96f3e4 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago nginx
podman inspect 查看容器详细信息
[root@podman ~]# podman inspect 32955d96f3e4
[
{
"Id": "32955d96f3e46e98042ea887bab13529215b0536959bdf988f627b25b2501fd1",
"Created": "2021-12-14T05:23:57.191968767-05:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
.......
// -l 查看最新信息
[root@podman ~]# podman inspect -l | grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
podman logs 查看容器日志
[root@podman ~]# podman logs -l //查看最新容器日志
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/14 10:23:57 [notice] 1#1: using the "epoll" event method
2021/12/14 10:23:57 [notice] 1#1: nginx/1.21.4
2021/12/14 10:23:57 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/14 10:23:57 [notice] 1#1: OS: Linux 4.18.0-257.el8.x86_64
2021/12/14 10:23:57 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/14 10:23:57 [notice] 1#1: start worker processes
2021/12/14 10:23:57 [notice] 1#1: start worker process 26
2021/12/14 10:23:57 [notice] 1#1: start worker process 27
2021/12/14 10:23:57 [notice] 1#1: start worker process 28
2021/12/14 10:23:57 [notice] 1#1: start worker process 29
podman top 查看容器的 pids
[root@podman ~]# podman top 32955d96f3e4
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 11m13.821628928s pts/0 0s nginx: master process nginx -g daemon off;
nginx 26 1 0.000 11m13.822843688s pts/0 0s nginx: worker process
nginx 27 1 0.000 11m13.823501411s pts/0 0s nginx: worker process
nginx 28 1 0.000 11m13.823698742s pts/0 0s nginx: worker process
nginx 29 1 0.000 11m13.823936194s pts/0 0s nginx: worker process
[root@podman ~]# podman top -l //查看最新容器
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 11m23.09833528s pts/0 0s nginx: master process nginx -g daemon off;
nginx 26 1 0.000 11m23.098725746s pts/0 0s nginx: worker process
nginx 27 1 0.000 11m23.098964414s pts/0 0s nginx: worker process
nginx 28 1 0.000 11m23.099398944s pts/0 0s nginx: worker process
nginx 29 1 0.000 11m23.099511946s pts/0 0s nginx: worker process
podman stop 停止容器
[root@podman ~]# podman stop 32955d96f3e4
32955d96f3e4
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman start 启动容器
[root@podman ~]# podman start 32ae6ac14292
32ae6ac14292
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32ae6ac14292 docker.io/library/nginx:latest nginx -g daemon o... 28 seconds ago Up 9 seconds ago nginx
podman rm 删除容器
//-f 强制删除
[root@podman ~]# podman rm -f 32ae6ac14292
32ae6ac142924c9c1844ed3ec4ac7704f0c881adcd1df87e79bdbcb389820d75
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman rmi 删除镜像
//-f 强制删除
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
[root@podman ~]# podman rmi -f f652ca386ed1
Untagged: docker.io/library/nginx:latest
Deleted: f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
podman tag 修改标签(改名)
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest ea28e1b82f31 12 days ago 148 MB
[root@podman ~]# podman tag docker.io/library/httpd:latest docker.io/library/httpd:v0.1
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest ea28e1b82f31 12 days ago 148 MB
docker.io/library/httpd v0.1 ea28e1b82f31 12 days ago 148 MB
2.2.2普通用户使用podman的方式
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。
[root@podman ~]# dnf -y install crun
//可以使用–runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持
[root@podman ~]# podman --runtime crun
//也可以修改containers.conf文件runtime = "runc"到runtime = “crun”
[root@podman ~]# vim /usr/share/containers/containers.conf
.....
# Default OCI runtime
#
runtime = "crun"
#runtime = "runc"
.....
安装slirp4netns
slirp4nets包为普通用户提供一种网络模式
[root@podman ~]# dnf -y install slirp4netns
安装fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。
[root@podman ~]# dnf -y install fuse-overlayfs
//配置storage.conf文件
[root@podman ~]# vim /etc/containers/storage.conf
...
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"
...
// /etc/subuid和/etc/subgid配置
[root@podman ~]# useradd xym
[root@podman ~]# cat /etc/subuid
xym:100000:65536
[root@podman ~]# cat /etc/subgid
xym:100000:65536
使用卷
[xym@podman ~]$ podman run -itd -v "$(pwd)"/test:/test:Z docker.io/library/busybox /bin/sh
9e6fef2dd3a7775ab567c622e5c36c5e4be99a181f38512c1d1efa593b61b912
[xym@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e6fef2dd3a7 docker.io/library/busybox:latest /bin/sh 12 seconds ago Up 12 seconds ago hungry_jennings
[xym@podman ~]$ podman exec -it 9e6fef2dd3a7 /bin/sh
/ # cd test/
/test # touch ss
/test # ls
ss
/test # exit
[xym@podman ~]$ ls test/
ss
2.2.3 podman容器的开机自启
[root@podman ~]# podman generate --help
Generate structured data based on containers, pods or volumes
Description:
Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
[root@podman ~]# podman generate systemd --help
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container or pod instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)
root podman容器自启动
[root@podman ~]# podman run -d --rm --name nginx nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob e5ae68f74026 skipped: already exists
Copying blob ed835de16acd done
Copying blob 881ff011f1c9 done
Copying blob 77700c52c969 done
Copying blob 44be98c0fab6 done
Copying blob 21e0df283cd6 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
7e2800ce33e5b717f252b6f31bd8b05250568d1b549432bc34689f952c993124
[root@podman system]# podman generate systemd --files --name ngx
/usr/lib/systemd/system/container-nginx.service
[root@podman system]# systemctl status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.servi
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
lines 1-4/4 (END)
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.ser>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@podman ~]# systemctl enable --now container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
[root@podman ~]# systemctl status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.ser>
Active: active (running) since Wed 2021-12-15 06:15:05 EST;>
Docs: man:podman-generate-systemd(1)
Process: 2859 ExecStart=/usr/bin/podman start nginx (code=ex>
Main PID: 2735 (conmon)
Tasks: 0 (limit: 23486)
Memory: 1.6M
CGroup: /system.slice/container-nginx.service
‣ 2735 /usr/bin/conmon --api-version 1 -c f70381d4a>
Dec 15 06:15:04 podman systemd[1]: Starting Podman container-n>
Dec 15 06:15:05 podman systemd[1]: Started Podman container-ng>
非跟用户容器开机自启
[xym@podman ~]$ podman run -itd --name nginx nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 44be98c0fab6 done
Copying blob ed835de16acd done
Copying blob 881ff011f1c9 done
Copying blob 77700c52c969 done
Copying blob e5ae68f74026 done
Copying blob 21e0df283cd6 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
d2ccf52d01b57c6cde3a9d27d82e614c218cb632eb7107f3b32c80638fc0df97
[xym@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d2ccf52d01b5 docker.io/library/nginx:latest nginx -g daemon o... 32 seconds ago Up 32 seconds ago nginx
[xym@podman ~]$ mkdir -p ~/.config/systemd/user
[xym@podman ~]$ podman generate systemd --name nginx --files --new
/home/xym/container-nginx.service
[xym@podman ~]$ mv container-nginx.service ~/.config/systemd/user/
普通用户设置开机自启
[xym@podman ~]$ sudo systemctl --user daemon-reload
[sudo] password for xym:
sudo: 3 incorrect password attempts
[xym@podman ~]$ systemctl --user enable --now container-nginx
Created symlink /home/xym/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/xym/.config/systemd/user/container-nginx.service.
Unit /home/xym/.config/systemd/user/container-nginx.service is added as a dependency to a non-existent unit multi-user.target.
Created symlink /home/xym/.config/systemd/user/default.target.wants/container-nginx.service → /home/xym/.config/systemd/user/container-nginx.service.
[xym@podman ~]$ systemctl --user status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/home/xym/.config/systemd/user/container-ng>
Active: active (running) since Wed 2021-12-15 06:36:12 EST;>
Docs: man:podman-generate-systemd(1)
Process: 4665 ExecStartPre=/bin/rm -f /run/user/1000/contain>
Main PID: 4709 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/conta>
├─4703 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/x>
├─4706 /usr/bin/slirp4netns --disable-host-loopback>
├─4709 /usr/bin/conmon --api-version 1 -c b1e854bab>
├─4712 nginx: master process nginx -g daemon off;
├─4738 nginx: worker process
├─4739 nginx: worker process
├─4740 nginx: worker process
└─4741 nginx: worker process
2.2.4 podman网络
rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口。
三部曲
- podman network create 创建网络
- 修改 /etc/cni/net.d/mynetwork.conflist 配置文件
- 修改设置/usr/share/containers/containers.conf 将其为默认网络
创建网络
[root@podman ~]# podman network create new
/etc/cni/net.d/new.conflist
[root@podman ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
11507a0e2f5e new 0.4.0 bridge,portmap,firewall,tuning
//修改/etc/cni/net.d/mynetwork.conflist 配置文件
[root@podman ~]# vim /etc/cni/net.d/new.conflist
{
"cniVersion": "0.4.0",
"name": "new",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman1",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "192.168.88.0/24",
"gateway": "192.168.88.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall",
"backend": ""
},
{
"type": "tuning"
}
]
}
//修改/usr/share/containers/containers.conf 将其为默认网络
[root@podman ~]# vim /usr/share/containers/containers.conf
....
#
default_network = "new"
#default_network = "podman"
....
//创建容器检测
[root@podman ~]# podman run -dit --name new busybox
46f5f3c605919ca1bf30b01f287747afe8b7b0f290529a05c5b950e444be0349
[root@podman ~]# podman exec -it new /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether fe:b1:ec:61:cb:c4 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.2/24 brd 192.168.88.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::fcb1:ecff:fe61:cbc4/64 scope link
valid_lft forever preferred_lft forever
/ # ping baidu.com //测试是否能与外网联通
PING baidu.com (220.181.38.251): 56 data bytes
64 bytes from 220.181.38.251: seq=0 ttl=127 time=59.113 ms
64 bytes from 220.181.38.251: seq=1 ttl=127 time=75.623 ms
64 bytes from 220.181.38.251: seq=2 ttl=127 time=61.185 ms
防火墙
[root@podman ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-b3d5ece77c897b52b8cbe349 all -- * * 192.168.88.5 0.0.0.0/0 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-b3d5ece77c897b52b8cbe349 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.88.0/24 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
//运行一个容器 映射80端口
[root@podman ~]# podman run -d -p 80:80 --name nginx nginx
6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5e710ea578b9 docker.io/library/busybox:latest sh About a minute ago Up About a minute ago new
6e43e51db98d docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp nginx
//查看防火墙规则
[root@podman ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 556 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-b3d5ece77c897b52b8cbe349 all -- * * 192.168.88.5 0.0.0.0/0 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
0 0 CNI-ba66ce3bdc2ed059f5f7bead all -- * * 192.168.88.6 0.0.0.0/0 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-b3d5ece77c897b52b8cbe349 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.88.0/24 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "new" id: "5e710ea578b977524f86c7989ecb73a2039ef8d4340a41e5d059908c4ccf04c6" */
Chain CNI-ba66ce3bdc2ed059f5f7bead (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.88.0/24 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-ba66ce3bdc2ed059f5f7b tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */ multiport dports 80
Chain CNI-DN-ba66ce3bdc2ed059f5f7b (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 192.168.88.0/24 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.88.6:80
//过滤容器ip
[root@podman ~]# podman inspect -l | grep -i address
"IPAddress": "192.168.88.6",
"GlobalIPv6Address": "",
"MacAddress": "76:90:58:31:5c:29",
"LinkLocalIPv6Address": "",
"IPAddress": "192.168.88.6",
"GlobalIPv6Address": "",
"MacAddress": "76:90:58:31:5c:29",
清空防火墙规则
[root@podman ~]# iptables -t nat -F
[root@podman ~]# iptables --flush
[root@podman ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-b3d5ece77c897b52b8cbe349 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-ba66ce3bdc2ed059f5f7bead (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-ba66ce3bdc2ed059f5f7b (0 references)
pkts bytes target prot opt in out source
//重载规则
[root@podman ~]# podman network reload nginx
6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9
[root@podman ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-ba66ce3bdc2ed059f5f7bead all -- * * 192.168.88.6 0.0.0.0/0 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-b3d5ece77c897b52b8cbe349 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-ba66ce3bdc2ed059f5f7b tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */ multiport dports 80
Chain CNI-ba66ce3bdc2ed059f5f7bead (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.88.0/24 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "new" id: "6e43e51db98deee3f373f292e0615d81af0cc865eed17542d389fce7424710a9" */
Chain CNI-DN-ba66ce3bdc2ed059f5f7b (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 192.168.88.0/24 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.88.6:80
类似资料: