使用无根 podman 暴露端口

Question

我正在尝试在 RHEL 8.3 上使用 rootless podman 公开端口 8080。

我使用的podman版本是：

$ podman --version
podman version 2.2.1

我正在使用一个简单的Flask API 来测试它：

from flask import Flask

app = Flask(__name__)


@app.route("/")
def hello():
    return "Hello from the container!\n"


if __name__ == "__main__":
    app.run(host="0.0.0.0")

容器文件如下所示：

FROM python:3.6-alpine

RUN pip3 install flask

COPY app.py app.py

EXPOSE 5000

ENTRYPOINT python3 app.py

我正在使用以下方法构建图像：

$ podman build -t testapi .

我正在创建一个 pod 并在该 pod 中启动一个容器

$ podman pod create --name testpod -p 8080:5000
$
$ podman run -d --rm --name testapi --pod testpod testapi 

所有容器都按预期运行：

$ podman ps
CONTAINER ID  IMAGE                     COMMAND  CREATED             STATUS            PORTS                   NAMES
85289290cc7a  localhost/testapi:latest           3 seconds ago       Up 2 seconds ago  0.0.0.0:8080->5000/tcp  testapi
4b1ac2354a1a  k8s.gcr.io/pause:3.2               About a minute ago  Up 3 seconds ago  0.0.0.0:8080->5000/tcp  81aa31a38084-infra

但是，我无法连接到端口：

$ telnet <IP> 8080
Trying <IP>...
telnet: Unable to connect to remote host: No route to host

当我使用 netstat 查看正在使用的端口时，我得到了这个：

$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      638593/containers-r 
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

使用 lsof 我得到：

$ lsof -i -P -n | grep LISTEN
exe     638593   ds   13u  IPv6 593362      0t0  TCP *:8080 (LISTEN)

当我使用 rootfull podman 做同样的事情时，它可以工作，即：

$ sudo podman pod create --name testpod -p 8080:5000 
$ sudo podman run -d --rm --name testapi --pod testpod testapi

现在的响应是：

$ telnet 10.100.2.220 8080
Trying 10.100.2.220...
Connected to 10.100.2.220.

netstat 返回：

$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -      

和 lsof：

$ sudo lsof -i -P -n | grep LISTEN
conmon  639312   root    5u  IPv4 590239      0t0  TCP *:8080 (LISTEN)

有没有办法使用无根 podman 公开端口，以便我可以远离 podman 主机访问它？

Answer 1

使用无根 pod 时请仔细检查此步骤：

$ 远程登录 8080 试 ... telnet：无法连接到远程主机：没有到主机的路由

我已经复制了你的环境和图片，没有发现任何问题。

PS：可能是firewalld的问题，尝试打开8080端口。

# firewall-cmd --add-port=8080/tcp --permanent 
# firewall-cmd --reload

Answer 2

我在 Podman 3.1.2 (Ubuntu 20.04.2) 上进行了同样的测试。 它似乎工作。也许您的 Podman 版本太旧并且包含一些错误？

esjolund@laptop:~/test$ cat Dockerfile 
FROM python:3.6-alpine

RUN pip3 install flask

COPY app.py app.py

EXPOSE 5000

ENTRYPOINT python3 app.py
esjolund@laptop:~/test$ cat app.py 
from flask import Flask

app = Flask(__name__)


@app.route("/")
def hello():
    return "Hello from the container!\n"


if __name__ == "__main__":
    app.run(host="0.0.0.0")
esjolund@laptop:~/test$ podman build -t testapi .
STEP 1: FROM python:3.6-alpine
✔ docker.io/library/python:3.6-alpine
Getting image source signatures
Copying blob 8b0340cff2c8 done  
Copying blob c89910f38943 done  
Copying blob a7ad1a75a999 done  
Copying blob 5545670c3922 done  
Copying blob 540db60ca938 done  
Copying config 118f82a946 done  
Writing manifest to image destination
Storing signatures
STEP 2: RUN pip3 install flask
Collecting flask
  Downloading Flask-2.0.0-py3-none-any.whl (93 kB)
Collecting itsdangerous>=2.0
  Downloading itsdangerous-2.0.1-py3-none-any.whl (18 kB)
Collecting Jinja2>=3.0
  Downloading Jinja2-3.0.1-py3-none-any.whl (133 kB)
Collecting Werkzeug>=2.0
  Downloading Werkzeug-2.0.1-py3-none-any.whl (288 kB)
Collecting click>=7.1.2
  Downloading click-8.0.0-py3-none-any.whl (96 kB)
Collecting MarkupSafe>=2.0
  Downloading MarkupSafe-2.0.1.tar.gz (18 kB)
Collecting dataclasses
  Downloading dataclasses-0.8-py3-none-any.whl (19 kB)
Building wheels for collected packages: MarkupSafe
  Building wheel for MarkupSafe (setup.py): started
  Building wheel for MarkupSafe (setup.py): finished with status 'done'
  Created wheel for MarkupSafe: filename=MarkupSafe-2.0.1-py3-none-any.whl size=9743 sha256=93d0dc7d9d4546b1b9b0a9b4c14c7313c101969f3442c00d180f37a3f253bc6c
  Stored in directory: /root/.cache/pip/wheels/05/46/9b/189d9acb1f643857fb8ad990ca04c02509c35d3ad6fac81794
Successfully built MarkupSafe
Installing collected packages: MarkupSafe, dataclasses, Werkzeug, Jinja2, itsdangerous, click, flask
Successfully installed Jinja2-3.0.1 MarkupSafe-2.0.1 Werkzeug-2.0.1 click-8.0.0 dataclasses-0.8 flask-2.0.0 itsdangerous-2.0.1
WARNING: Running pip as root will break packages and permissions. You should install packages reliably by using venv: https://pip.pypa.io/warnings/venv
--> cddad03925e
STEP 3: COPY app.py app.py
--> 56afbc68fea
STEP 4: EXPOSE 5000
--> 0d76f34a2c3
STEP 5: ENTRYPOINT python3 app.py
STEP 6: COMMIT testapi
--> e40c443149a
e40c443149a7cc16cbecfd2e8dab059ed4c148982b84b536ac62a16dc9869a75
esjolund@laptop:~/test$ podman pod create --name testpod -p 8080:5000
25c16eb23ccf256677ad643a361d8f3b1197495a33c0378b6938f8884e20787e
esjolund@laptop:~/test$ podman run -d --rm --name testapi --pod testpod testapi 
d6e112e00e29603e489863802f6cf7f2854c5aa4a24da479a1df48fb154627d4
esjolund@laptop:~/test$ curl localhost:8080
Hello from the container!
esjolund@laptop:~/test$ podman --version
podman version 3.1.2
esjolund@laptop:~/test$ nc  -4 -z -v localhost 8080
Connection to localhost 8080 port [tcp/http-alt] succeeded!
esjolund@laptop:~/test$ 

RHEL 8.4 现已发布。我认为它包含您可能想尝试的较新的 Podman 版本。