initシステムなしでsystemd-nspawnによって管理されているネットワーク名前空間内でsystemd-nspawnコンテナを実行しようとしています。私のコンテナはデフォルトのFedora 35イメージで、次のように呼び出します。
systemd-nspawn --network-bridge=virbr0 --port 5555:9001 --directory=/container/f35 python3 -m http.server 9001
私の意図は、ブリッジのIPアドレスとポート5555を使用してコンテナ内のポート9001で実行されているWebサーバーにアクセスできるように、コンテナのネットワークをプライベートに分離することです。ただし、コンテナに接続しようとするとすぐに失敗します。ip linkホストでこれを見ると、次の関連出力が表示されます。
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
39: vb-f35@if2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master virbr0 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
私は両方ともNO-CARRIERをリストしたことを確認しましたvirbr0 and vb-f35@if2。--boot代わりに、コマンドで Web サーバーを実行するようにコンテナーを変更すると、関連するip linkインターフェースについて以下が表示されます。
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
40: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
Webサーバーを正常にpingしてから、外界のコンテナ内ポート9001で実行できます。
明らかに、コンテナ内のsystemdはネットワークを適切に初期化するために何かをしていますが、正確に何であるかはわかりません。それが何であるかを決定するために提案がある人はいますか?あるいは、コンテナ内のsystemdに依存せずにネットワーク自体を設定するためにsystemd-nspawnを取得する方法についてのヒントがあればよいでしょう。
編集する:
この質問の下のコメントにABが要求した情報を提供しています。
iptables-save -cコンテナを起動する前の出力:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*nat
:PREROUTING ACCEPT [332:41133]
:INPUT ACCEPT [291:39665]
:OUTPUT ACCEPT [7041:549405]
:POSTROUTING ACCEPT [7041:549405]
:LIBVIRT_PRT - [0:0]
[7043:549565] -A POSTROUTING -j LIBVIRT_PRT
[7:513] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*mangle
:PREROUTING ACCEPT [117102:151146445]
:INPUT ACCEPT [117086:151145517]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64309:5329802]
:POSTROUTING ACCEPT [64357:5334100]
:LIBVIRT_PRT - [0:0]
[64366:5334974] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*raw
:PREROUTING ACCEPT [117205:151170716]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*security
:INPUT ACCEPT [117138:151166535]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*filter
:INPUT ACCEPT [117077:151143379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64305:5327950]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[117096:151152501] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[64323:5331044] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
iptables-save -cコンテナ作成後の出力:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*nat
:PREROUTING ACCEPT [374:46301]
:INPUT ACCEPT [329:44705]
:OUTPUT ACCEPT [7315:580228]
:POSTROUTING ACCEPT [7315:580228]
:LIBVIRT_PRT - [0:0]
[7317:580388] -A POSTROUTING -j LIBVIRT_PRT
[8:580] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*mangle
:PREROUTING ACCEPT [130977:169443079]
:INPUT ACCEPT [130961:169442151]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70277:5768739]
:POSTROUTING ACCEPT [70327:5773171]
:LIBVIRT_PRT - [0:0]
[70336:5774045] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*raw
:PREROUTING ACCEPT [131080:169467350]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*security
:INPUT ACCEPT [131008:169462974]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*filter
:INPUT ACCEPT [130952:169440013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70273:5766887]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[130971:169449135] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[70291:5769981] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
ip link; ip -br address; ip routeコンソールのすべて:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 18:31:bf:51:06:fd brd ff:ff:ff:ff:ff:ff
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
15: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 0
lo UNKNOWN 127.0.0.1/8 ::1/128
enp3s0 UP 192.168.1.197/24 fe80::7508:4c69:8ad8:166c/64
virbr0 UP 192.168.122.1/24
vb-f35@if2 UP fe80::b867:2dff:fe18:5e8f/64
default via 192.168.1.1 dev enp3s0 proto dhcp metric 100
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.197 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1