为容器启用net.ipv4.ip_forward [英] Enabling net.ipv4.ip_forward for a container

问题描述

是否可以在容器的网络名称空间上启用net.ipv4.ip_forward?

Is it possible to enable net.ipv4.ip_forward on a container's network namespace?

手册

在主机上，我可以通过以下方式手动启用

From the host, I can enable it with manually with

sudo nsenter -t \
    $(docker inspect --format '{{.State.Pid}}' $CONTAINER_NAME) \
    -n sysctl -w net.ipv4.ip_forward=1

并确认转发在容器内开始进行.

and confirm that forwarding begins working within the container.

有没有一种方法可以自动执行此操作，同时避免使用特权容器?

Is there a way to do this automatically whilst avoiding privileged containers?

推荐答案

对于某些sysctl参数，是的； net.* 已命名空间，因此可以在每个Pod(每个容器)中启用net.ipv4.ip_forward.

In case of some sysctl parameters yes; net.* is namespaced, so net.ipv4.ip_forward can be enabled per Pod (per container).

按照在Kubernetes集群中使用系统指南了解详细信息和陷阱.

Follow the Using Sysctls in a Kubernetes Cluster guide for details and gotchas.

虽然net 已命名空间，但并非所有sysctl变量都可以在命名空间中设置.有些只是等待"namespacify" 补丁，但是其他补丁可能永远都不会实现.在net.ipv4的特定示例中，可以浏览 include/net/netns/ipv4.h 查看当前支持的内容.当然，这种支持取决于实际的内核版本.

While net is namespaced, not all sysctl variables can be set in namespace. Some simply await for a "namespacify" patch, but others will possibly never get implemented. In the specific example of net.ipv4 one could browse include/net/netns/ipv4.h to see what is supported at the moment. Such support of course depends on the actual kernel version.

如果您想凭经验"验证 sysctl (实际的内核工具，而不是工具)是否支持特定变量，则可以执行以下操作(以root用户身份):

In case you wanted to "empirically" verify whether sysctl (the actual kernel facility, not the tool) supports a particular variable, you could do something like this (as root):

# cat /proc/sys/net/ipv4/ip_forward
1
# unshare --net sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
# cat /proc/sys/net/ipv4/ip_forward
1

如您所见，在新名称空间中运行的 sysctl (该工具)可能会设置net.ipv4.ip_forward=0；也没有影响父名称空间.

As you can see sysctl (the tool) running in a new namespace could set net.ipv4.ip_forward=0; also that it did not affect the parent namespace.

无法在命名空间中设置的变量的示例(目前不支持该变量):

An example of a variable that can't be set in a namespace (no support for it at the moment):

# cat /proc/sys/net/ipv4/icmp_msgs_burst
50
# unshare --net sysctl -w net.ipv4.icmp_msgs_burst=42
sysctl: cannot stat /proc/sys/net/ipv4/icmp_msgs_burst: No such file or directory

未命名空间的变量的示例为vm.nr_hugepages.此变量存在于名称空间中，但vm子系统本身为 未命名空间 (设置此变量将影响所有进程):

An example of a variable that is not namespaced would be vm.nr_hugepages. This variable exists in namespaces, but the vm subsystem itself is not namespaced (setting this variable will affect all processes):

# sysctl vm.nr_hugepages
vm.nr_hugepages = 0
# unshare sysctl vm.nr_hugepages=1
vm.nr_hugepages = 1
# sysctl vm.nr_hugepages
vm.nr_hugepages = 1

这篇关于为容器启用net.ipv4.ip_forward的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！