diff options
author | Paul Holzinger <pholzing@redhat.com> | 2021-12-10 15:22:09 +0100 |
---|---|---|
committer | Paul Holzinger <pholzing@redhat.com> | 2021-12-14 15:23:39 +0100 |
commit | 535818414c2a6bdcf6434e36c33775ea1a43f1cf (patch) | |
tree | bc7130eb922b7d2918527f13c3155506af4444f1 /docs/source | |
parent | d072167fe2f75db9648bf1be4181b42e9b7db9a4 (diff) | |
download | podman-535818414c2a6bdcf6434e36c33775ea1a43f1cf.tar.gz podman-535818414c2a6bdcf6434e36c33775ea1a43f1cf.tar.bz2 podman-535818414c2a6bdcf6434e36c33775ea1a43f1cf.zip |
support advanced network configuration via cli
Rework the --network parse logic to support multiple networks with
specific network configuration settings.
--network can now be set multiple times. For bridge network mode the
following options have been added:
- **alias=name**: Add network-scoped alias for the container.
- **ip=IPv4**: Specify a static ipv4 address for this container.
- **ip=IPv6**: Specify a static ipv6 address for this container.
- **mac=MAC**: Specify a static mac address address for this container.
- **interface_name**: Specify a name for the created network interface inside the container.
So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99
for the default bridge network as well as for network names.
This is better than using --ip because we can set the ip per network
without any confusion which network the ip address should be assigned
to.
The --ip, --mac-address and --network-alias options are still supported
but --ip or --mac-address can only be set when only one network is set.
This limitation already existed previously.
The ability to specify a custom network interface name is new
Fixes #11534
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'docs/source')
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 38 | ||||
-rw-r--r-- | docs/source/markdown/podman-pod-create.1.md | 48 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 37 |
3 files changed, 98 insertions, 25 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index b58fd1e18..c8f1ec3a5 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -476,9 +476,12 @@ Not implemented #### **--ip**=*ip* Specify a static IP address for the container, for example **10.88.64.128**. -This option can only be used if the container is joined to only a single network - i.e., `--network=_network-name_` is used at most once - -and if the container is not joining another container's network namespace via `--network=container:_id_`. -The address must be within the CNI network's IP address pool (default **10.88.0.0/16**). +This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IP address pool (default **10.88.0.0/16**). + +To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option. + #### **--ipc**=*ipc* @@ -531,12 +534,16 @@ This option is currently supported only by the **journald** log driver. #### **--mac-address**=*address* -Container MAC address (e.g. 92:d0:c6:0a:29:33) +Container network interface MAC address (e.g. 92:d0:c6:0a:29:33) +This option can only be used if the container is joined to only a single network - i.e., **--network=_network-name_** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. Remember that the MAC address in an Ethernet network must be unique. The IPv6 link-local address will be based on the device's MAC address according to RFC4862. +To specify multiple static MAC addresses per container, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option. + #### **--memory**, **-m**=*limit* Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) @@ -668,15 +675,22 @@ This works for both background and foreground containers. #### **--network**=*mode*, **--net** -Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pod's network namespace. +Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pod's network namespace. Valid _mode_ values are: -- **bridge**: Create a network stack on the default bridge. This is the default for rootfull containers. +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: + - **alias=name**: Add network-scoped alias for the container. + - **ip=IPv4**: Specify a static ipv4 address for this container. + - **ip=IPv6**: Specify a static ipv6 address for this container. + - **mac=MAC**: Specify a static mac address address for this container. + - **interface_name**: Specify a name for the created network interface inside the container. + + For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. +- \<network name or ID\>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. You can use the **--network** option multiple times to specify additional networks. - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. -- **network**: Connect to a user-defined network, multiple networks should be comma-separated. - **ns:**_path_: Path to a network namespace to join. - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: @@ -694,7 +708,9 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add network-scoped alias for the container. NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. +Network aliases work only with the bridge networking mode. This option can be specified multiple times. +NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. #### **--no-healthcheck** @@ -1492,6 +1508,12 @@ $ podman create --name container1 --personaity=LINUX32 fedora bash $ podman create --name container1 --rootfs /path/to/rootfs:O bash ``` +### Create a container connected to two networks (called net1 and net2) with a static ip + +``` +$ podman create --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr +``` + ### Rootless Containers Podman runs as a non root user on most systems. This feature requires that a new enough version of shadow-utils diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index cca90c942..b1b029429 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -118,9 +118,14 @@ The custom image that will be used for the infra container. Unless specified, P The name that will be used for the pod's infra container. -#### **--ip**=*ipaddr* +#### **--ip**=*ip* -Set a static IP for the pod's shared network. +Specify a static IP address for the pod, for example **10.88.64.128**. +This option can only be used if the pod is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the pod is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IP address pool (default **10.88.0.0/16**). + +To specify multiple static IP addresses per pod, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option. #### **--label**=*label*, **-l** @@ -132,7 +137,16 @@ Read in a line delimited file of labels. #### **--mac-address**=*address* -Set a static MAC address for the pod's shared network. +Pod network interface MAC address (e.g. 92:d0:c6:0a:29:33) +This option can only be used if the pod is joined to only a single network - i.e., **--network=_network-name_** is used at most once - +and if the pod is not joining another container's network namespace via **--network=container:_id_**. + +Remember that the MAC address in an Ethernet network must be unique. +The IPv6 link-local address will be based on the device's MAC address +according to RFC4862. + +To specify multiple static MAC addresses per pod, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option. + #### **--name**=*name*, **-n** @@ -140,11 +154,23 @@ Assign a name to the pod. #### **--network**=*mode*, **--net** -Set network mode for the pod. Supported values are: -- **bridge**: Create a network stack on the default bridge. This is the default for rootfull containers. +Set the network mode for the pod. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. + +Valid _mode_ values are: + +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: + - **alias=name**: Add network-scoped alias for the container. + - **ip=IPv4**: Specify a static ipv4 address for this container. + - **ip=IPv6**: Specify a static ipv6 address for this container. + - **mac=MAC**: Specify a static mac address address for this container. + - **interface_name**: Specify a name for the created network interface inside the container. + + For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. +- \<network name or ID\>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. You can use the **--network** option multiple times to specify additional networks. - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. -- **host**: Do not create a network namespace, all containers in the pod will use the host's network. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. -- **network**: Connect to a user-defined network, multiple networks should be comma-separated. +- **container:**_id_: Reuse another container's network stack. +- **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. +- **ns:**_path_: Path to a network namespace to join. - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`, which is added to `/etc/hosts` as `host.containers.internal` for your convenience). Default is false. @@ -159,9 +185,11 @@ Set network mode for the pod. Supported values are: Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks. - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks. -#### **--network-alias**=strings +#### **--network-alias**=*alias* -Add a DNS alias for the pod. When the pod is joined to a CNI network with support for the dnsname plugin, the containers inside the pod will be accessible through this name from other containers in the network. +Add a network-scoped alias for the pod, setting the alias for all networks that the pod joins. To set a name only for a specific network, use the alias option as described under the **--network** option. +Network aliases work only with the bridge networking mode. This option can be specified multiple times. +NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. #### **--no-hosts** @@ -429,6 +457,8 @@ $ podman pod create --publish 8443:443 $ podman pod create --network slirp4netns:outbound_addr=127.0.0.1,allow_host_loopback=true $ podman pod create --network slirp4netns:cidr=192.168.0.0/24 + +$ podman pod create --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 ``` ## SEE ALSO diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 0d9e6dbcd..a6687e656 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -499,9 +499,11 @@ Not implemented. #### **--ip**=*ip* Specify a static IP address for the container, for example **10.88.64.128**. -This option can only be used if the container is joined to only a single network - i.e., `--network=_network-name_` is used at most once -and if the container is not joining another container's network namespace via `--network=container:_id_`. -The address must be within the CNI network's IP address pool (default **10.88.0.0/16**). +This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IP address pool (default **10.88.0.0/16**). + +To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option. #### **--ipc**=*mode* @@ -557,12 +559,16 @@ This option is currently supported only by the **journald** log driver. #### **--mac-address**=*address* -Container MAC address (e.g. **92:d0:c6:0a:29:33**). +Container network interface MAC address (e.g. 92:d0:c6:0a:29:33) +This option can only be used if the container is joined to only a single network - i.e., **--network=_network-name_** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. Remember that the MAC address in an Ethernet network must be unique. The IPv6 link-local address will be based on the device's MAC address according to RFC4862. +To specify multiple static MAC addresses per container, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option. + #### **--memory**, **-m**=_number_[_unit_] Memory limit. A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). @@ -696,15 +702,22 @@ This works for both background and foreground containers. #### **--network**=*mode*, **--net** -Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pods network namespace. +Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pod's network namespace. Valid _mode_ values are: -- **bridge**: Create a network stack on the default bridge. This is the default for rootfull containers. +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: + - **alias=name**: Add network-scoped alias for the container. + - **ip=IPv4**: Specify a static ipv4 address for this container. + - **ip=IPv6**: Specify a static ipv6 address for this container. + - **mac=MAC**: Specify a static mac address address for this container. + - **interface_name**: Specify a name for the created network interface inside the container. + + For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. +- \<network name or ID\>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. You can use the **--network** option multiple times to specify additional networks. - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. -- **network**: Connect to a user-defined network, multiple networks should be comma-separated. - **ns:**_path_: Path to a network namespace to join. - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: @@ -722,7 +735,9 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add network-scoped alias for the container. NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. +Network aliases work only with the bridge networking mode. This option can be specified multiple times. +NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. #### **--no-healthcheck** @@ -1867,6 +1882,12 @@ Forcing UTC: Fri Nov 19 23:10:55 UTC 2021 ``` +### Run a container connected to two networks (called net1 and net2) with a static ip + +``` +$ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr +``` + ### Rootless Containers Podman runs as a non root user on most systems. This feature requires that a new enough version of **shadow-utils** |