私Linuxを使用したリマ仮想マシンカーネル6.2とcgroupsv2を使用してUbuntu 23.04を実行します。この仮想マシンはDockerホストとして機能するように設計されています。この仮想マシンにDockerネットワークを作成すると、独自の名前空間にインターフェイスが作成されます。
$ sudo lsns -t net | grep dockerd
4026532237 net 12 3807 lima unassigned /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
$ sudo nsenter -n -t 3807 ip a s br-c6a402bfbc91
4: br-c6a402bfbc91: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:a6:e8:5d:1c brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c6a402bfbc91
valid_lft forever preferred_lft forever
inet6 fc00:f853:ccd:e793::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::42:a6ff:fee8:5d1c/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
172.18.0.0/16
すでにネットワーク上のVMコンテナでpingを実行できます。
$ ping 172.18.1.1
PING 172.18.1.1 (172.18.1.1) 56(84) bytes of data.
64 bytes from 172.18.1.1: icmp_seq=2 ttl=64 time=0.166 ms
64 bytes from 172.18.1.1: icmp_seq=4 ttl=64 time=0.177 ms
しかし、そこには何も乾かすことはできません。
$ curl -v 172.18.1.1
* Trying 172.18.1.1:80...
$ docker ps --filter name=lima-control-plane
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc12c34dff80 kindest/node:v1.27.1 "/usr/local/bin/entr…" About an hour ago Up About an hour 127.0.0.1:63869->6443/tcp lima-control-plane
$ docker exec -it lima-control-plane curl 172.18.1.1
{
"message":"no Route matched with those values"
}
前述の名前空間を使用しない限り:
$ sudo nsenter -n -t 3807 curl 172.18.1.1
{
"message":"no Route matched with those values"
}
おそらく私のiptablesに問題があるかもしれませんが、何かはわかりません。
$ sudo iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
348 22152 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
348 22152 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
348 22152 ACCEPT all -- lima0 * 192.168.105.1 172.18.0.0/16
0 0 ACCEPT all -- * * 172.18.0.0/16 192.168.105.1
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
778 49492 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
778 49492 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
$ ip r
default via 192.168.5.3 dev eth0 proto dhcp src 192.168.5.15 metric 100
default via 192.168.105.1 dev lima0 proto dhcp src 192.168.105.4 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.15 metric 100
192.168.5.3 dev eth0 proto dhcp scope link src 192.168.5.15 metric 100
192.168.105.0/24 dev lima0 proto kernel scope link src 192.168.105.4 metric 100
192.168.105.1 dev lima0 proto dhcp scope link src 192.168.105.4 metric 100
$ sudo nsenter -n -t 3807 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c6a402bfbc91 !br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c6a402bfbc91 br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lima0 * 192.168.105.1 172.18.0.0/16
0 0 ACCEPT all -- lima0 * 192.168.105.1 172.18.0.0/16
0 0 ACCEPT all -- lima0 * 172.18.0.0/16 192.168.105.1
0 0 ACCEPT all -- * lima0 172.18.0.0/16 192.168.105.1
0 0 ACCEPT all -- * * 172.18.0.0/16 192.168.105.1
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-c6a402bfbc91 br-c6a402bfbc91 0.0.0.0/0 172.18.0.2 tcp dpt:6443
0 0 ACCEPT tcp -- !br-c6a402bfbc91 br-c6a402bfbc91 0.0.0.0/0 172.18.0.4 tcp dpt:5000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-c6a402bfbc91 !br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-c6a402bfbc91 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
$ sudo nsenter -n -t 3807 ip r
default via 10.0.2.2 dev tap0
10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-c6a402bfbc91 proto kernel scope link src 172.18.0.1
興味深いのは、sudo ip netns list
何も返さないということです。これがを通じて返される名前空間とどのような関係があるのかよくわかりませんlsns
。
編集する:Dockerが明らかにインストールされています。ルートレスモード上記と同じ理由による。