Configuring the Container Network
If Containerd is not independently installed and deployed using Kubernetes, you can run the ctr command to start the container or use the CNI plugin to configure the Containerd network for the container to access external networks.
Starting a Container Using ctr
Add the --net-host parameter to the ctr command of starting a container so that the container shares the network with the host and access external networks.
The command is in the following format:
1 | ctr -n [NAMESPACE] run -d --net-host [IMAGE] [CONTAINER_NAME] |
Preparations for Using the CNI Plugin
The CNI plugin leverages the bridge and veth peer technologies that enable containers to access external networks. You need to prepare the CNI plugin and some configuration files in advance, and enable the IP forwarding function of the host machine.
- Downloading the CNI plugin.Download the CNI plugin of the required CNI plugin version, and deploy it on the Containerd host machine.
- Use the CNI plugin of version 0.9.1 for Containerd 1.4.x and 1.5.x, and the CNI plugin of version 1.5.1 for Containerd 1.6.x and later.
- If you use an installation package (similar to cri-containerd-cni-XXXXX.tar.gz) that contains the plugin to deploy Containerd, you do not need to download the CNI plugin. Skip this step.
- Configuration file.
If you use the CNI plugin of version 1.5.1, replace the value of the cniVersion field in the following sub-plugin configuration files with 1.0.0.
Prepare three .conf configuration files, which are used for the bridge, portmap, and firewall sub-plugins of CNI. The configuration files must meet the JSON format requirements.
An example of the bridge.conf configuration file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
{ "cniVersion": "0.4.0", "name": "container-net-bridge", "type": "bridge", "bridge": "br0", "isGateway": true, "ipMasq": true, "hairpinMode": true, "ipam": { "type": "host-local", "routes": [ { "dst": "0.0.0.0/0" } ], "ranges": [ [ { "gateway": "x.x.0.1", "subnet": "x.x.0.0/24" } ] ] }, "dns": { "nameservers": ["8.8.8.8"] } }
An example of the portmap.conf configuration file:
1 2 3 4 5 6 7 8 9 10
{ "cniVersion": "0.4.0", "name": "container-net-portmap", "type": "portmap", "prevResult": { }, "capabilities": { "portMappings": true } }
An example of the firewall.conf configuration file:
1 2 3 4 5 6 7 8
{ "cniVersion": "0.4.0", "name": "container-net-firewall", "type": "firewall", "prevResult": { }, "ingressPolicy": "same-bridge" }
- Checking/Enabling the IP forwarding function of the host machine.
Check whether IP forwarding is enabled on the host machine.
1sysctl net.ipv4.conf.all.forwardingIf the command output is 1, the function is enabled.
1net.ipv4.conf.all.forwarding = 1
If the command output is 0, the function is disabled.
1net.ipv4.conf.all.forwarding = 0
Enable IP forwarding on the host machine.
1sysctl net.ipv4.conf.all.forwarding=1
Configuring the CNI Plugin
If the preceding files are ready and the host machine has been properly configured, perform the following steps to configure the CNI plugin.
- Checking the container process ID (PID).
1ctr -n [NAMESPACE] task ls
- Configure the bridge sub-plugin.
1CNI_COMMAND=ADD CNI_CONTAINERID=[Container ID] CNI_NETNS=/proc/[Container process ID]/ns/net CNI_IFNAME=[Virtual NIC name] CNI_PATH=[CNI plugin root directory] [Absolute path to the bridge sub-plugin] < [Absolute path to the prepared bridge configuration file]
Example command:
1CNI_COMMAND=ADD CNI_CONTAINERID=container_cni_config_net CNI_NETNS=/proc/1234/ns/net CNI_IFNAME=eth0 CNI_PATH=/home/cni-plugins-v091 /home/cni-plugins-v091/bridge < /cni/net.d/containerd-net-bridge-040.conf
Command output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
{ "cniVersion": "0.4.0", "interfaces": [ { "name": "br0", "mac": "6a:42:22:2d:2a:5e" }, { "name": "veth9ccdc6d7", "mac": "0a:c2:80:43:99:33" }, { "name": "eth0", "mac": "c6:48:38:0d:52:34", "sandbox": "/proc/1234/ns/net" } ], "ips": [ { "version": "4", "interface": 2, "address": "x.x.0.2/24", "gateway": "x.x.0.1" } ], "routes": [ { "dst": "0.0.0.0/0" } ], "dns": { "nameservers": [ "8.8.8.8" ] } }
- Build the portmap and firewall configuration files.
Copy interfaces, ips, routes, and dns in the command output of 2 to the portmap and firewall configuration files.
An example of the portmap configuration file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
{ "cniVersion": "0.4.0", "name": "containerd-net-portmap", "type": "portmap", "prevResult": { "interfaces": [ { "name": "br0", "mac": "6a:42:22:2d:2a:5e" }, { "name": "veth9ccdc6d7", "mac": "0a:c2:80:43:99:33" }, { "name": "eth0", "mac": "c6:48:38:0d:52:34", "sandbox": "/proc/1234/ns/net" } ], "ips": [ { "version": "4", "interface": 2, "address": "x.x.0.2/24", "gateway": "x.x.0.1" } ], "routes": [ { "dst": "0.0.0.0/0" } ], "dns": { "nameservers": [ "8.8.8.8" ] } }, "capabilities": { "portMappings": true } }
An example of the firewall configuration file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
{ "cniVersion": "0.4.0", "name": "containerd-net-firewall", "type": "firewall", "prevResult": { "interfaces": [ { "name": "br0", "mac": "6a:42:22:2d:2a:5e" }, { "name": "veth9ccdc6d7", "mac": "0a:c2:80:43:99:33" }, { "name": "eth0", "mac": "c6:48:38:0d:52:34", "sandbox": "/proc/1234/ns/net" } ], "ips": [ { "version": "4", "interface": 2, "address": "x.x.0.2/24", "gateway": "x.x.0.1" } ], "routes": [ { "dst": "0.0.0.0/0" } ], "dns": { "nameservers": [ "8.8.8.8" ] } }, "ingressPolicy": "same-bridge" }
- Configure the portmap sub-plugin.
1CNI_COMMAND=ADD CNI_CONTAINERID=[Container ID] CNI_NETNS=/proc/[Container process ID]/ns/net CNI_IFNAME=[Virtual NIC name] CNI_PATH=[CNI plugin root directory] [Absolute path to the portmap sub-plugin] < [Absolute path to the new portmap configuration file]
Example command:
1CNI_COMMAND=ADD CNI_CONTAINERID=container_cni_config_net CNI_NETNS=/proc/1234/ns/net CNI_IFNAME=eth0 CNI_PATH=/home/cni-plugins-v091 /home/cni-plugins-v091/portmap < /cni/net.d/containerd-net-portmap-040.conf
The values of CNI_CONTAINERID, CNI_NETNS, CNI_IFNAME, and CNI_PATH in this step must be the same as those in 2.
- Configure the firewall sub-plugin.
1CNI_COMMAND=ADD CNI_CONTAINERID=[Container ID] CNI_NETNS=/proc/[Container process ID]/ns/net CNI_IFNAME=[Virtual NIC name] CNI_PATH=[CNI plugin root directory] [Absolute path to the firewall sub-plugin] < [Absolute path to the new firewall configuration file]
Example command:
1CNI_COMMAND=ADD CNI_CONTAINERID=container_cni_config_net CNI_NETNS=/proc/1234/ns/net CNI_IFNAME=eth0 CNI_PATH=/home/cni-plugins-v091 /home/cni-plugins-v091/firewall < /cni/net.d/containerd-net-firewall-040.conf
The values of CNI_CONTAINERID, CNI_NETNS, CNI_IFNAME, and CNI_PATH in this step must be the same as those in 2.