CentOS 8.x networking of podman containers

From Notes_Wiki

Home > CentOS > CentOS 8.x > Virtualization > podman > networking of podman containers

Networking of rootfull containers

If containers are launched from root user they are called rootfull containers. They get dedicated IP address via bridge connected to base machine.

List current networks

To list networks that can be used by rootfull containers use:

    podman network ls


See details of existing networks

To see details of existing networks use:

    podman network inspect <network-name>

For example

    podman network inspect podman

Various details such as gateway (IP to given to base host), Subnet, Routes are part of the details.


Create new network

We can create new network using:

    podman network create <network-name>

This will output name of file that can be edited to change the network settings.


See IP address of container

To see IP address of a rootful container use:

    podman inspect <container-name-or-id> | grep -i ip


Access container ports on base host

To access container ports on base host we can use either container IP or we can use publish string to publish container ports on local host.

    podman pull httpd
    podman run -dt --name web1 --publish-all httpd

We can also use -P short flag instead of --publish-all

Then see the port mapping from current host to web1 container using:

    podman port web1

Then you can use web browser on local base host to open http://localhost:<port> to access the HTTP service of web1 container. Same can also be done on port 80 via containers rootfull network IP


Communication between containers

Two rootfull containers can communicate via its network IPs through bridge, same as communication between base host and container.


Networking of rootless containers

Network limitations

Rootless containers do not get any IP address as to create network devices and get IP root privileges are required.

Moreover, pinging from a rootless container does not work because it lacks the CAP_NET_RAW security capability that the ping command requires. If you want to ping from within a rootless container, you can allow users to send ICMP packets using this sysctl command:

    sysctl -w "net.ipv4.ping_group_range=0 2000000" 

This action would allow any process within these groups to send ping packets.


Communication between rootless containers and the host

For communication between rootless containers and host use publish string such as --publish-all (-P)

    podman pull httpd
    podman pull centos
    podman run -dt --name web1 -P httpd
    podman port web1
    #Access server at listed port via browser


Communication between two rootless containers

For communication between two rootless containers publish the required ports to host. Then use the published ports for connectivity:

    portman run -it --name bash1 centos
    #Access the other container webserver using http://<host-ip>:<host-port>


Communication between two rootless containers in a pod

Communication between two rootless containers in a pod can be done via localhost same as is done in case of rootfull containers:

    podman pod create --name pod1
    podman run -dt --name pod1_web1 --pod pod1 httpd
    podman run -it --name pod1_bash1 --pod pod1 centos
    
    #Inside pod1_bash1 pod try to access web server
    curl http://localhost

Refer:



Home > CentOS > CentOS 8.x > Virtualization > podman > networking of podman containers