네트워크 네임스페이스 간에 패킷을 전달하는 방법은 무엇입니까?

나는Linux를 사용하는 리마 가상 머신커널 6.2 및 cgroupsv2를 사용하여 Ubuntu 23.04를 실행합니다. 이 가상 머신은 Docker 호스트 역할을 하도록 설계되었습니다. 이 가상 머신에 Docker 네트워크를 생성하면 자체 네임스페이스에 인터페이스가 생성됩니다.

$ sudo lsns -t net | grep dockerd
4026532237 net      12  3807 lima   unassigned      /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
$ sudo nsenter -n -t 3807 ip a s br-c6a402bfbc91
4: br-c6a402bfbc91: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:a6:e8:5d:1c brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c6a402bfbc91
       valid_lft forever preferred_lft forever
    inet6 fc00:f853:ccd:e793::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::42:a6ff:fee8:5d1c/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::1/64 scope link
       valid_lft forever preferred_lft forever

172.18.0.0/16이미 네트워크의 VM 컨테이너에서 ping을 수행할 수 있습니다.

$ ping 172.18.1.1
PING 172.18.1.1 (172.18.1.1) 56(84) bytes of data.
64 bytes from 172.18.1.1: icmp_seq=2 ttl=64 time=0.166 ms
64 bytes from 172.18.1.1: icmp_seq=4 ttl=64 time=0.177 ms

하지만 거기엔 아무것도 말릴 수 없어

$ curl -v 172.18.1.1
*   Trying 172.18.1.1:80...

$ docker ps --filter name=lima-control-plane
CONTAINER ID   IMAGE                  COMMAND                  CREATED             STATUS             PORTS                       NAMES
fc12c34dff80   kindest/node:v1.27.1   "/usr/local/bin/entr…"   About an hour ago   Up About an hour   127.0.0.1:63869->6443/tcp   lima-control-plane
$ docker exec -it lima-control-plane curl 172.18.1.1
{
  "message":"no Route matched with those values"
}

앞서 언급한 네임스페이스를 사용하지 않는 한:

$ sudo nsenter -n -t 3807 curl 172.18.1.1
{
  "message":"no Route matched with those values"
}

어쩌면 내 iptables에 문제가 있을 수도 있지만 무엇인지는 모르겠습니다.

$ sudo iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  348 22152 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  348 22152 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
  348 22152 ACCEPT     all  --  lima0  *       192.168.105.1        172.18.0.0/16
    0     0 ACCEPT     all  --  *      *       172.18.0.0/16        192.168.105.1

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  778 49492 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  778 49492 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
$ ip r
default via 192.168.5.3 dev eth0 proto dhcp src 192.168.5.15 metric 100
default via 192.168.105.1 dev lima0 proto dhcp src 192.168.105.4 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.15 metric 100
192.168.5.3 dev eth0 proto dhcp scope link src 192.168.5.15 metric 100
192.168.105.0/24 dev lima0 proto kernel scope link src 192.168.105.4 metric 100
192.168.105.1 dev lima0 proto dhcp scope link src 192.168.105.4 metric 100

$ sudo nsenter -n -t 3807 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-c6a402bfbc91 !br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-c6a402bfbc91 br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lima0  *       192.168.105.1        172.18.0.0/16
    0     0 ACCEPT     all  --  lima0  *       192.168.105.1        172.18.0.0/16
    0     0 ACCEPT     all  --  lima0  *       172.18.0.0/16        192.168.105.1
    0     0 ACCEPT     all  --  *      lima0   172.18.0.0/16        192.168.105.1
    0     0 ACCEPT     all  --  *      *       172.18.0.0/16        192.168.105.1

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-c6a402bfbc91 br-c6a402bfbc91  0.0.0.0/0            172.18.0.2           tcp dpt:6443
    0     0 ACCEPT     tcp  --  !br-c6a402bfbc91 br-c6a402bfbc91  0.0.0.0/0            172.18.0.4           tcp dpt:5000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-c6a402bfbc91 !br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-c6a402bfbc91  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
$ sudo nsenter -n -t 3807 ip r
default via 10.0.2.2 dev tap0
10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-c6a402bfbc91 proto kernel scope link src 172.18.0.1

흥미로운 점은 sudo ip netns list아무것도 반환하지 않는다는 것입니다. 이것이 를 통해 반환된 네임스페이스와 어떤 관련이 있는지 잘 모르겠습니다 lsns.

편집하다: Docker가 분명히 설치되어 있습니다.루트리스 모드위와 같은 이유 때문입니다.