mirror of
https://github.com/containers/podman.git
synced 2025-08-06 11:32:07 +08:00
e88d8dbeae
The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
59 lines
1.6 KiB
Markdown
59 lines
1.6 KiB
Markdown
% podman-network-reload(1)
|
|
|
|
## NAME
|
|
podman\-network\-reload - Reload network configuration for containers
|
|
|
|
## SYNOPSIS
|
|
**podman network reload** [*options*] [*container...*]
|
|
|
|
## DESCRIPTION
|
|
Reload one or more container network configurations.
|
|
|
|
Rootfull Podman relies on iptables rules in order to provide network connectivity. If the iptables rules are deleted,
|
|
this happens for example with `firewall-cmd --reload`, the container loses network connectivity. This command restores
|
|
the network connectivity.
|
|
|
|
## OPTIONS
|
|
#### **--all**, **-a**
|
|
|
|
Reload network configuration of all containers.
|
|
|
|
#### **--latest**, **-l**
|
|
|
|
Instead of providing the container name or ID, use the last created container. If you use methods other than Podman
|
|
to run containers such as CRI-O, the last started container could be from either of those methods. (This option is not available with the remote Podman client)
|
|
|
|
## EXAMPLE
|
|
|
|
Reload the network configuration after a firewall reload.
|
|
|
|
```
|
|
# podman run -p 80:80 -d nginx
|
|
b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
|
|
# curl 127.0.0.1
|
|
works
|
|
# sudo firewall-cmd --reload
|
|
success
|
|
# curl 127.0.0.1
|
|
hangs
|
|
# podman network reload b1b538e8bc40
|
|
b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
|
|
# curl 127.0.0.1
|
|
works
|
|
```
|
|
|
|
Reload the network configuration for all containers.
|
|
|
|
```
|
|
# podman network reload --all
|
|
b1b538e8bc4078fc3ee1c95b666ebc7449b9a97bacd15bcbe464a29e1be59c1c
|
|
fe7e8eca56f844ec33af10f0aa3b31b44a172776e3277b9550a623ed5d96e72b
|
|
```
|
|
|
|
|
|
## SEE ALSO
|
|
podman(1), podman-network(1)
|
|
|
|
## HISTORY
|
|
December 2020, Originally compiled by Paul Holzinger <paul.holzinger@web.de>
|