由于运行中遇到bugBTRFS 上的 Minikube,我现在正在 Fedora 35 主机上的 QEMU Fedora 35 来宾虚拟机上运行它。我可以使用ssh -fNL端口转发来访问来宾中的 Podman diven 网络服务,但我希望使用更明智的方式(例如wireguard VPN)来允许直接在来宾上使用该子网上所有已发布的 URL。
例如,我有一个可以通过主机浏览器地址http://localhost:32220使用端口转发命令访问的服务ssh -fNL32220:10.88.0.2:32220 192.168.122.122,但是我希望http://10.88.0.3:32220通过wireguard 将主机浏览器连接到 podman0 网络地址,但我不能。
主机设置:
$ ip addr show dev wg0
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
$ ip addr show dev virbr0
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:92:ca:97 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
$ sudo cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <host private key string>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = bxL6esqKWNjEcQ7hLeMTE/TYacztAu95f1shVfe7AjQ=
AllowedIPs = 10.88.0.0/16, 10.0.0.2/32
Endpoint = 192.168.122.122:51820
$ sudo cat /etc/sysctl.d/99-sysctl.conf
net.ipv4.ip_forward=1
来宾虚拟机设置:
$ ip addr show dev wg0
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.2/24 scope global wg0
valid_lft forever preferred_lft forever
$ ip addr show dev enp1s0
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:c6:22:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.122/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
valid_lft 2474sec preferred_lft 2474sec
inet6 fe80::5054:ff:fec6:2284/64 scope link noprefixroute
valid_lft forever preferred_lft forever
$ ip addr show dev podman0
6: podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fa:07:63:90:3f:01 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global podman0
valid_lft forever preferred_lft forever
inet6 fe80::7cc5:35ff:fe52:509d/64 scope link
valid_lft forever preferred_lft forever
$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <guest private key string>
[Peer]
PublicKey = Hwb/SeadMH/JbzelPyL7wvOY14Gf8owOcsDFMObD2lE=
AllowedIPs = 10.0.0.1/32
在访客上,我在这里可以看到一项服务(如上所述,可以通过 ssh 隧道获得):
minikube service list
|----------------------|---------------------------|--------------|------------------------|
| NAMESPACE | NAME | TARGET PORT | URL |
|----------------------|---------------------------|--------------|------------------------|
| default | hello-minikube | 8080 | http://10.88.0.3:32220 |
最后我将wireguard服务防火墙端口添加UDP/51820到virbr0
$ sudo firewall-cmd --info-zone=libvirt
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns ssh tftp wireguard
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
有什么想法 (a) 如何完成这项工作或 (b) 如何使来宾内部 URI 更适合我测试 Kubernetes Pod?目前我一直在使用waypipe转发远程浏览器实例 - 一个可怕的黑客:D