opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-31 10:00:01 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/docs/source/markdown/podman-network-connect.1.md
Paul Holzinger e88d8dbeae fix rootless port forwarding with network dis-/connect 
The rootlessport forwarder requires a child IP to be set. This must be a
valid ip in the container network namespace. The problem is that after a
network disconnect and connect the eth0 ip changed. Therefore the
packages are dropped since the source ip does no longer exists in the
netns.
One solution is to set the child IP to 127.0.0.1, however this is a
security problem. [1]

To fix this we have to recreate the ports after network connect and
disconnect. To make this work the rootlessport process exposes a socket
where podman network connect/disconnect connect to and send to new child
IP to rootlessport. The rootlessport process will remove all ports and
recreate them with the new correct child IP.

Also bump rootlesskit to v0.14.3 to fix a race with RemovePort().

Fixes #10052

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2021-08-03 16:29:09 +02:00

35 lines
1.0 KiB
Markdown
Raw Blame History

% podman-network-connect(1)
## NAME
podman\-network\-connect - Connect a container to a network
## SYNOPSIS
**podman network connect** [*options*] network container
## DESCRIPTION
Connects a container to a network. A container can be connected to a network by name or by ID.
Once connected, the container can communicate with other containers in the same network.
## OPTIONS
#### **--alias**
Add network-scoped alias for the container. If the network is using the `dnsname` CNI plugin, these aliases
can be used for name resolution on the given network. Multiple *--alias* options may be specified as input.
## EXAMPLE
Connect a container named *web* to a network named *test*
```
podman network connect test web
```
Connect a container name *web* to a network named *test* with two aliases: web1 and web2
```
podman network connect --alias web1 --alias web2 test web
```
## SEE ALSO
podman(1), podman-network(1), podman-network-disconnect(1), podman-network-inspect(1)
## HISTORY
November 2020, Originally compiled by Brent Baude <bbaude@redhat.com>
Reference in New Issue View Git Blame Copy Permalink