init 시스템 없이 systemd-nspawn에서 관리하는 네트워크 네임스페이스 내부에서 systemd-nspawn 컨테이너를 실행하려고 합니다. 내 컨테이너는 기본 Fedora 35 이미지이며 다음과 같이 호출합니다.
systemd-nspawn --network-bridge=virbr0 --port 5555:9001 --directory=/container/f35 python3 -m http.server 9001
내 의도는 브리지의 IP 주소와 포트 5555를 사용하여 컨테이너 내부의 포트 9001에서 실행되는 웹 서버에 액세스할 수 있도록 컨테이너의 네트워크를 비공개로 격리하는 것입니다. 그러나 컨테이너에 연결하려고 하면 즉시 실패합니다. ip link호스트에서 이를 보면 다음과 같은 관련 출력이 표시됩니다 .
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
39: vb-f35@if2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master virbr0 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
나는 둘 다 NO-CARRIER 를 나열한 것을 확인했습니다 virbr0 and vb-f35@if2. --boot대신 명령으로 웹 서버를 실행하도록 컨테이너를 변경하면 ip link관련 인터페이스에 대해 다음이 표시됩니다.
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
40: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
웹 서버를 성공적으로 핑한 다음 외부 세계의 컨테이너 내부 포트 9001에서 실행할 수 있습니다.
분명히 컨테이너 내부의 systemd는 네트워크를 적절하게 초기화하기 위해 뭔가를 하고 있지만 정확히 무엇인지는 알 수 없습니다. 그것이 무엇인지 결정하는 데 제안이 있는 사람이 있습니까? 또는 컨테이너 내부의 systemd에 의존하지 않고 네트워크 자체를 설정하기 위해 systemd-nspawn을 얻는 방법에 대한 팁이 있다면 좋을 것입니다.
편집하다:
이 질문 아래 댓글에 AB가 요청한 정보를 제공하고 있습니다.
iptables-save -c컨테이너를 시작하기 전 출력:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*nat
:PREROUTING ACCEPT [332:41133]
:INPUT ACCEPT [291:39665]
:OUTPUT ACCEPT [7041:549405]
:POSTROUTING ACCEPT [7041:549405]
:LIBVIRT_PRT - [0:0]
[7043:549565] -A POSTROUTING -j LIBVIRT_PRT
[7:513] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*mangle
:PREROUTING ACCEPT [117102:151146445]
:INPUT ACCEPT [117086:151145517]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64309:5329802]
:POSTROUTING ACCEPT [64357:5334100]
:LIBVIRT_PRT - [0:0]
[64366:5334974] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*raw
:PREROUTING ACCEPT [117205:151170716]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*security
:INPUT ACCEPT [117138:151166535]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*filter
:INPUT ACCEPT [117077:151143379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64305:5327950]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[117096:151152501] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[64323:5331044] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
iptables-save -c컨테이너 생성 후 출력:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*nat
:PREROUTING ACCEPT [374:46301]
:INPUT ACCEPT [329:44705]
:OUTPUT ACCEPT [7315:580228]
:POSTROUTING ACCEPT [7315:580228]
:LIBVIRT_PRT - [0:0]
[7317:580388] -A POSTROUTING -j LIBVIRT_PRT
[8:580] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*mangle
:PREROUTING ACCEPT [130977:169443079]
:INPUT ACCEPT [130961:169442151]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70277:5768739]
:POSTROUTING ACCEPT [70327:5773171]
:LIBVIRT_PRT - [0:0]
[70336:5774045] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*raw
:PREROUTING ACCEPT [131080:169467350]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*security
:INPUT ACCEPT [131008:169462974]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*filter
:INPUT ACCEPT [130952:169440013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70273:5766887]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[130971:169449135] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[70291:5769981] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
ip link; ip -br address; ip route콘솔의 모든 것:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 18:31:bf:51:06:fd brd ff:ff:ff:ff:ff:ff
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
15: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 0
lo UNKNOWN 127.0.0.1/8 ::1/128
enp3s0 UP 192.168.1.197/24 fe80::7508:4c69:8ad8:166c/64
virbr0 UP 192.168.122.1/24
vb-f35@if2 UP fe80::b867:2dff:fe18:5e8f/64
default via 192.168.1.1 dev enp3s0 proto dhcp metric 100
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.197 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1