e88d8dbeae
The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
1.0 KiB
% podman-network-connect(1)
NAME
podman-network-connect - Connect a container to a network
SYNOPSIS
podman network connect [options] network container
DESCRIPTION
Connects a container to a network. A container can be connected to a network by name or by ID. Once connected, the container can communicate with other containers in the same network.
OPTIONS
--alias
Add network-scoped alias for the container. If the network is using the dnsname CNI plugin, these aliases
can be used for name resolution on the given network. Multiple --alias options may be specified as input.
EXAMPLE
Connect a container named web to a network named test
podman network connect test web
Connect a container name web to a network named test with two aliases: web1 and web2
podman network connect --alias web1 --alias web2 test web
SEE ALSO
podman(1), podman-network(1), podman-network-disconnect(1), podman-network-inspect(1)
HISTORY
November 2020, Originally compiled by Brent Baude bbaude@redhat.com