diff options
| author | Paul Holzinger <pholzing@redhat.com> | 2021-07-30 14:33:08 +0200 |
|---|---|---|
| committer | Paul Holzinger <pholzing@redhat.com> | 2021-08-03 16:29:09 +0200 |
| commit | e88d8dbeae2aebd2d816f16a21891764163afcd4 (patch) | |
| tree | ee84759a07070d7255adc789434f228babf39ecc /docs | |
| parent | d25f8d07b3bbc11be1caa0838a031f0e5dc223a8 (diff) | |
| download | podman-e88d8dbeae2aebd2d816f16a21891764163afcd4.tar.gz podman-e88d8dbeae2aebd2d816f16a21891764163afcd4.tar.bz2 podman-e88d8dbeae2aebd2d816f16a21891764163afcd4.zip | |
fix rootless port forwarding with network dis-/connect
The rootlessport forwarder requires a child IP to be set. This must be a
valid ip in the container network namespace. The problem is that after a
network disconnect and connect the eth0 ip changed. Therefore the
packages are dropped since the source ip does no longer exists in the
netns.
One solution is to set the child IP to 127.0.0.1, however this is a
security problem. [1]
To fix this we have to recreate the ports after network connect and
disconnect. To make this work the rootlessport process exposes a socket
where podman network connect/disconnect connect to and send to new child
IP to rootlessport. The rootlessport process will remove all ports and
recreate them with the new correct child IP.
Also bump rootlesskit to v0.14.3 to fix a race with RemovePort().
Fixes #10052
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/source/markdown/podman-network-connect.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network-disconnect.1.md | 5 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network-reload.1.md | 2 |
3 files changed, 3 insertions, 6 deletions
diff --git a/docs/source/markdown/podman-network-connect.1.md b/docs/source/markdown/podman-network-connect.1.md index cff4336d6..47a54bd33 100644 --- a/docs/source/markdown/podman-network-connect.1.md +++ b/docs/source/markdown/podman-network-connect.1.md @@ -10,8 +10,6 @@ podman\-network\-connect - Connect a container to a network Connects a container to a network. A container can be connected to a network by name or by ID. Once connected, the container can communicate with other containers in the same network. -This command is not available for rootless users. - ## OPTIONS #### **--alias** Add network-scoped alias for the container. If the network is using the `dnsname` CNI plugin, these aliases diff --git a/docs/source/markdown/podman-network-disconnect.1.md b/docs/source/markdown/podman-network-disconnect.1.md index 8b7125282..a13aa6088 100644 --- a/docs/source/markdown/podman-network-disconnect.1.md +++ b/docs/source/markdown/podman-network-disconnect.1.md @@ -7,9 +7,10 @@ podman\-network\-disconnect - Disconnect a container from a network **podman network disconnect** [*options*] network container ## DESCRIPTION -Disconnects a container from a network. +Disconnects a container from a network. A container can be disconnected from a network by name or by ID. +If all networks are disconnected from the container, it will behave like a container created with `--network=none` +and it will longer have network connectivity until a network is connected again. -This command is not available for rootless users. ## OPTIONS #### **--force**, **-f** diff --git a/docs/source/markdown/podman-network-reload.1.md b/docs/source/markdown/podman-network-reload.1.md index 1d9f34f2e..593265df6 100644 --- a/docs/source/markdown/podman-network-reload.1.md +++ b/docs/source/markdown/podman-network-reload.1.md @@ -13,8 +13,6 @@ Rootfull Podman relies on iptables rules in order to provide network connectivit this happens for example with `firewall-cmd --reload`, the container loses network connectivity. This command restores the network connectivity. -This command is not available for rootless users since rootless containers are not affected by such connectivity problems. - ## OPTIONS #### **--all**, **-a** |