1

Goal

  • Setup a virtual network in which multiple containers are started
  • each container should be accessible by its IP from the host network
  • the containers run rootless (it is intended to run the test network from a CI runner)
  • it is acceptable to run a specific iptables command with sudo which allows the necessary forwards to the virtual network

The reason I'm avoiding using published ports is that I want the virtual network to resemble "reality" in which a larger number of services will be running on separate hardware, and the fact that they'll be using different IPs matters to the coordination service.

My approach

$ podman network create --subnet 10.10.10.0/24 virtnet1
$ ( export DBUS_SESSION_BUS_ADDRESS=; podman run --rm -d --name nmt --network virtnet1 praqma/network-multitool )

(The DBUS hack is a workaround for this issue)

If I now look at iptables -L I see the chains CNI-FORWARD, and I was naively assuming that a simple

sudo iptables -A CNI-FORWARD -d 10.10.10.0/24 -j ACCEPT

to be able to access the containers from the host network. But they still appear strictly separated and inaccessible. (The FORWARD chain has ACCEPT policy by default, so no problem there.)

Is it fundamentally impossible (I haven't found any examples of this), or am I just doing something wrong?

Might the CNI-* chains be related to any previous rootful containers, since logically rootless wouldn't be able to affect anything iptables related anyway?

ppenguin
  • 106
  • 7
  • Were you find solution for this? I have similar problem – Neha Dalal Jul 29 '21 at 12:24
  • @NehaDalal no, I'm still getting by with one IP and a large number of different ports, which are automatically defined in an ansible script that instantiates the services. The IP is just the one of the host running the containers, and the containers expose the (generated) port numbers. – ppenguin Aug 15 '21 at 20:28

0 Answers0