diff options
| -rw-r--r-- | docs/source/markdown/podman-network-connect.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network-disconnect.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network-inspect.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network-ls.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-network.1.md | 2 | ||||
| -rwxr-xr-x | hack/podman-socat | 122 | ||||
| -rw-r--r-- | pkg/specgen/generate/namespaces.go | 2 | ||||
| -rw-r--r-- | pkg/specgen/namespaces.go | 16 | ||||
| -rw-r--r-- | test/e2e/run_networking_test.go | 23 |
9 files changed, 159 insertions, 14 deletions
diff --git a/docs/source/markdown/podman-network-connect.1.md b/docs/source/markdown/podman-network-connect.1.md index 58b6e5c44..a31a415dc 100644 --- a/docs/source/markdown/podman-network-connect.1.md +++ b/docs/source/markdown/podman-network-connect.1.md @@ -10,6 +10,8 @@ podman\-network\-connect - Connect a container to a network Connects a container to a network. A container can be connected to a network by name or by ID. Once connected, the container can communicate with other containers in the same network. +This command is not available for rootless users. + ## OPTIONS #### **--alias** Add network-scoped alias for the container. If the network is using the `dnsname` CNI plugin, these aliases diff --git a/docs/source/markdown/podman-network-disconnect.1.md b/docs/source/markdown/podman-network-disconnect.1.md index 95c7018a8..8b7125282 100644 --- a/docs/source/markdown/podman-network-disconnect.1.md +++ b/docs/source/markdown/podman-network-disconnect.1.md @@ -9,6 +9,8 @@ podman\-network\-disconnect - Disconnect a container from a network ## DESCRIPTION Disconnects a container from a network. +This command is not available for rootless users. + ## OPTIONS #### **--force**, **-f** diff --git a/docs/source/markdown/podman-network-inspect.1.md b/docs/source/markdown/podman-network-inspect.1.md index 47d647b3f..56515d0c1 100644 --- a/docs/source/markdown/podman-network-inspect.1.md +++ b/docs/source/markdown/podman-network-inspect.1.md @@ -7,7 +7,7 @@ podman\-network\-inspect - Displays the raw CNI network configuration for one or **podman network inspect** [*options*] [*network* ...] ## DESCRIPTION -Display the raw (JSON format) network configuration. This command is not available for rootless users. +Display the raw (JSON format) network configuration. ## OPTIONS #### **--format**, **-f** diff --git a/docs/source/markdown/podman-network-ls.1.md b/docs/source/markdown/podman-network-ls.1.md index a964c97e8..9d2dd52a8 100644 --- a/docs/source/markdown/podman-network-ls.1.md +++ b/docs/source/markdown/podman-network-ls.1.md @@ -7,7 +7,7 @@ podman\-network\-ls - Display a summary of CNI networks **podman network ls** [*options*] ## DESCRIPTION -Displays a list of existing podman networks. This command is not available for rootless users. +Displays a list of existing podman networks. ## OPTIONS #### **--filter**, **-f** diff --git a/docs/source/markdown/podman-network.1.md b/docs/source/markdown/podman-network.1.md index d21b200d9..bc161659a 100644 --- a/docs/source/markdown/podman-network.1.md +++ b/docs/source/markdown/podman-network.1.md @@ -7,7 +7,7 @@ podman\-network - Manage Podman CNI networks **podman network** *subcommand* ## DESCRIPTION -The network command manages CNI networks for Podman. It is not supported for rootless users. +The network command manages CNI networks for Podman. ## COMMANDS diff --git a/hack/podman-socat b/hack/podman-socat new file mode 100755 index 000000000..7bc571816 --- /dev/null +++ b/hack/podman-socat @@ -0,0 +1,122 @@ +#!/bin/bash -e +# Execute podman while capturing the API stream +# +# Script will run an instance of podman sand-boxed, the API stream will be captured and then formatted for readability. + +if [[ $(id -u) != 0 ]]; then + echo >&2 "$0 must be run as root." + exit 2 +fi + +if ! command -v socat >/dev/null 2>&1; then + echo 1>&2 "socat not found on PATH" +fi + +PODMAN=${PODMAN:-podman} +if ! command -v "$PODMAN" >/dev/null 2>&1; then + echo 1>&2 "$PODMAN not found on PATH" +fi + +function usage() { + echo 1>&2 $0 '[-v] [-h]' +} + +while getopts "vh" arg; do + case $arg in + v) + VERBOSE='-v' + export PODMAN_LOG_LEVEL=debug + ;; + h) + usage + exit 0 + ;; + \?) + usage + exit 2 + ;; + esac +done +shift $((OPTIND - 1)) + +function cleanup() { + set +xeuo pipefail + rm -r "$1" + kill -9 $REAP_PIDS + + sed -e 's/^> /\nClient Request> /' -e 's/^< /\nServer Response< /' -i /tmp/podman-socat.log +} + +# Create temporary directory for storage +export TMPDIR=$(mktemp -d /tmp/podman.XXXXXXXXXX) +trap "cleanup $TMPDIR" EXIT + +# Need locations to store stuff +mkdir -p "${TMPDIR}"/{podman,crio,crio-run,cni/net.d,ctnr,tunnel} + +export REGISTRIES_CONFIG_PATH=${TMPDIR}/registry.conf +cat >"$REGISTRIES_CONFIG_PATH" <<-EOT + [registries.search] + registries = ['docker.io'] + [registries.insecure] + registries = [] + [registries.block] + registries = [] +EOT + +export CNI_CONFIG_PATH=${TMPDIR}/cni/net.d +cat >"$CNI_CONFIG_PATH"/87-podman-bridge.conflist <<-EOT +{ + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [{ + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [{ + "dst": "0.0.0.0/0" + }] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] +} +EOT + +PODMAN_ARGS="--storage-driver=vfs \ + --root=${TMPDIR}/crio \ + --runroot=${TMPDIR}/crio-run \ + --cni-config-dir=$CNI_CONFIG_PATH \ + --cgroup-manager=systemd \ + " +if [[ -n $VERBOSE ]]; then + PODMAN_ARGS="$PODMAN_ARGS --log-level=$PODMAN_LOG_LEVEL --syslog=true" +fi +PODMAN="$PODMAN $PODMAN_ARGS" + +PODMAN_HOST="${TMPDIR}/podman/podman-socat.sock" +SOCAT_HOST="${TMPDIR}/podman/podman.sock" + +cat <<-EOT +Podman service running at unix:$SOCAT_HOST +See /tmp/podman-socat.log for API stream capture +See /tmp/podman-service.log for service logging + +usage: sudo bin/podman-remote --url unix:$SOCAT_HOST images + +^C to exit +EOT + +$PODMAN system service --timeout=0 "unix:$PODMAN_HOST" >/tmp/podman-service.log 2>&1 & +REAP_PIDS=$! + +socat -v "UNIX-LISTEN:$SOCAT_HOST",fork,reuseaddr,unlink-early "UNIX-CONNECT:$PODMAN_HOST" >/tmp/podman-socat.log 2>&1 diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index ddc73ca61..036c7b7a1 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -233,6 +233,8 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. val = fmt.Sprintf("slirp4netns:%s", s.NetNS.Value) } toReturn = append(toReturn, libpod.WithNetNS(portMappings, postConfigureNetNS, val, nil)) + case specgen.Private: + fallthrough case specgen.Bridge: portMappings, err := createPortMappings(ctx, s, img) if err != nil { diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index d15745fa0..9d78a0210 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -258,24 +258,22 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) { var cniNetworks []string // Net defaults to Slirp on rootless switch { - case ns == "slirp4netns", strings.HasPrefix(ns, "slirp4netns:"): + case ns == string(Slirp), strings.HasPrefix(ns, string(Slirp)+":"): toReturn.NSMode = Slirp - case ns == "pod": + case ns == string(FromPod): toReturn.NSMode = FromPod - case ns == "": + case ns == "" || ns == string(Default) || ns == string(Private): if rootless.IsRootless() { toReturn.NSMode = Slirp } else { toReturn.NSMode = Bridge } - case ns == "bridge": + case ns == string(Bridge): toReturn.NSMode = Bridge - case ns == "none": + case ns == string(NoNetwork): toReturn.NSMode = NoNetwork - case ns == "host": + case ns == string(Host): toReturn.NSMode = Host - case ns == "private": - toReturn.NSMode = Private case strings.HasPrefix(ns, "ns:"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { @@ -283,7 +281,7 @@ func ParseNetworkNamespace(ns string) (Namespace, []string, error) { } toReturn.NSMode = Path toReturn.Value = split[1] - case strings.HasPrefix(ns, "container:"): + case strings.HasPrefix(ns, string(FromContainer)+":"): split := strings.SplitN(ns, ":", 2) if len(split) != 2 { return toReturn, nil, errors.Errorf("must provide name or ID or a container when specifying container:") diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index 3e80e953e..3fb00a28b 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -49,9 +49,28 @@ var _ = Describe("Podman run networking", func() { Expect(session.ExitCode()).To(Equal(0)) }) + It("podman run network connection with default", func() { + session := podmanTest.Podman([]string{"run", "--network", "default", ALPINE, "wget", "www.podman.io"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + + It("podman run network connection with none", func() { + session := podmanTest.Podman([]string{"run", "--network", "none", ALPINE, "wget", "www.podman.io"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(1)) + Expect(session.ErrorToString()).To(ContainSubstring("wget: bad address 'www.podman.io'")) + }) + + It("podman run network connection with private", func() { + session := podmanTest.Podman([]string{"run", "--network", "private", ALPINE, "wget", "www.podman.io"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + It("podman run network connection with loopback", func() { - session := podmanTest.Podman([]string{"run", "-dt", "--network", "host", ALPINE, "wget", "www.podman.io"}) - session.Wait(90) + session := podmanTest.Podman([]string{"run", "--network", "host", ALPINE, "wget", "www.podman.io"}) + session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) |