我正在尝试在没有 init 系统且位于 systemd-nspawn 管理的网络命名空间内部的情况下运行 systemd-nspawn 容器。我的容器是一个库存 Fedora 35 镜像,我像这样调用它:
systemd-nspawn --network-bridge=virbr0 --port 5555:9001 --directory=/container/f35 python3 -m http.server 9001
我的目的是私下隔离容器的网络,以便我可以使用网桥的 IP 地址和端口 5555 来访问在容器内部的端口 9001 上运行的 Web 服务器。但是,当我尝试连接到容器时,它立即失败。当我ip link在主机上查看时,我得到以下相关输出:
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
39: vb-f35@if2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master virbr0 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
我注意到两者都列出了 NO-CARRIER virbr0 and vb-f35@if2。当我将容器更改为--boot而不是作为其命令运行 Web 服务器时,ip link显示相关接口的以下内容:
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
40: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 1
我可以成功 ping 一个 Web 服务器,然后从外部世界在容器内部的端口 9001 上运行。
显然容器内部的 systemd 正在做一些事情来正确初始化网络,但我无法弄清楚到底是什么。有人对确定那是什么有任何建议吗?或者,如果有关于如何让 systemd-nspawn 设置网络本身而不依赖容器内部的 systemd 做某事的提示,那就太棒了。
编辑:
我正在提供此问题下方评论中 AB 所要求的信息。
iptables-save -c启动容器之前的输出:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*nat
:PREROUTING ACCEPT [332:41133]
:INPUT ACCEPT [291:39665]
:OUTPUT ACCEPT [7041:549405]
:POSTROUTING ACCEPT [7041:549405]
:LIBVIRT_PRT - [0:0]
[7043:549565] -A POSTROUTING -j LIBVIRT_PRT
[7:513] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*mangle
:PREROUTING ACCEPT [117102:151146445]
:INPUT ACCEPT [117086:151145517]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64309:5329802]
:POSTROUTING ACCEPT [64357:5334100]
:LIBVIRT_PRT - [0:0]
[64366:5334974] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*raw
:PREROUTING ACCEPT [117205:151170716]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*security
:INPUT ACCEPT [117138:151166535]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [64424:5339032]
COMMIT
# Completed on Sun Mar 13 13:43:20 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:43:20 2022
*filter
:INPUT ACCEPT [117077:151143379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64305:5327950]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[117096:151152501] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[64323:5331044] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
iptables-save -c创建容器后的输出:
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*nat
:PREROUTING ACCEPT [374:46301]
:INPUT ACCEPT [329:44705]
:OUTPUT ACCEPT [7315:580228]
:POSTROUTING ACCEPT [7315:580228]
:LIBVIRT_PRT - [0:0]
[7317:580388] -A POSTROUTING -j LIBVIRT_PRT
[8:580] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[1:84] -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*mangle
:PREROUTING ACCEPT [130977:169443079]
:INPUT ACCEPT [130961:169442151]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70277:5768739]
:POSTROUTING ACCEPT [70327:5773171]
:LIBVIRT_PRT - [0:0]
[70336:5774045] -A POSTROUTING -j LIBVIRT_PRT
[6:1968] -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*raw
:PREROUTING ACCEPT [131080:169467350]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*security
:INPUT ACCEPT [131008:169462974]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [70392:5777969]
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
# Generated by iptables-save v1.8.7 on Sun Mar 13 13:47:31 2022
*filter
:INPUT ACCEPT [130952:169440013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70273:5766887]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
[130971:169449135] -A INPUT -j LIBVIRT_INP
[6:504] -A FORWARD -j LIBVIRT_FWX
[6:504] -A FORWARD -j LIBVIRT_FWI
[3:252] -A FORWARD -j LIBVIRT_FWO
[70291:5769981] -A OUTPUT -j LIBVIRT_OUT
[3:252] -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[3:252] -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
[3:218] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1920] -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[6:1968] -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Mar 13 13:47:31 2022
ip link; ip -br address; ip route主机上的全部内容:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 18:31:bf:51:06:fd brd ff:ff:ff:ff:ff:ff
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:10:6d:33 brd ff:ff:ff:ff:ff:ff
15: vb-f35@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UP mode DEFAULT group default qlen 1000
link/ether ba:67:2d:18:5e:8f brd ff:ff:ff:ff:ff:ff link-netnsid 0
lo UNKNOWN 127.0.0.1/8 ::1/128
enp3s0 UP 192.168.1.197/24 fe80::7508:4c69:8ad8:166c/64
virbr0 UP 192.168.122.1/24
vb-f35@if2 UP fe80::b867:2dff:fe18:5e8f/64
default via 192.168.1.1 dev enp3s0 proto dhcp metric 100
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.197 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1