Coder Social home page Coder Social logo

cni-plugins's Introduction

CNI Plugins compatible with nftables

License

The plugins in this repository implement CNI Specification v0.4.0.

At the moment, the CNI Plugins maintained by the CNI team do not support nftables. The below plugins do.

This repository contains the following plugins:

  • cni-nftables-portmap: port mapping with nftables
  • cni-nftables-firewall: firewalling with nftables

Table of Contents

Supported Operating Systems

The plugins had been tested on the following systems:

  • CentOS 8:
    • kernel version: 4.18.0-193.14.2.el8_2.x86_64
    • nftables version v0.9.3 (Topsy)

Getting Started

First, download the plugins:

go install github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap@latest
go install github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall@latest

Check the location of the downloaded plugins:

$ which cni-nftables-portmap
~/dev/go/bin/cni-nftables-portmap

Next, copy the plugins to /usr/local/lib/cni/ directory.

mv ~/dev/go/bin/cni-nftables-{portmap,firewall} /usr/local/lib/cni/

After the above, copy assets/net.d/87-podman-bridge.conflist to /etc/cni/net.d/.

sudo cp assets/net.d/87-podman-bridge.conflist /etc/cni/net.d/

The configuration is as follows:

{
  "cniVersion": "0.4.0",
  "name": "podman",
  "plugins": [
    {
      "type": "bridge",
      "bridge": "cni-podman0",
      "isGateway": true,
      "ipMasq": false,
      "ipam": {
        "type": "host-local",
        "routes": [
          {
            "dst": "0.0.0.0/0"
          }
        ],
        "ranges": [
          [
            {
              "subnet": "10.88.0.0/16",
              "gateway": "10.88.0.1"
            }
          ]
        ]
      }
    },
    {
      "type": "cni-nftables-portmap",
      "capabilities": {
        "portMappings": true
      }
    },
    {
      "type": "cni-nftables-firewall",
      "forward_chain_name": "forward"
    }
  ]
}

Please note the ipMasq key is being set to false.

Review network config:

$ sudo podman network ls
NAME     VERSION   PLUGINS
podman   0.4.0     bridge,cni-nftables-portmap,cni-nftables-firewall

Next, run the following command to place a container in the previously created podman network and query AWS Check IP website:

podman run --net=podman -it nicolaka/netshoot curl http://checkip.amazonaws.com/

Run the following commands to test port-mapping plugin by placing a container in podman network and exposing a web server in the container.

First, start the container:

podman run --net=podman -P -d nginxdemos/hello

Alternatively, map the container port to port 8080:

podman run --net=podman -p 8080:80/tcp -d nginxdemos/hello

Verify connectivity to the container:

curl -v http://HOST_IP:8080

For localhost port mapping to work it is necessary to set route_localnet sysctl

sysctl -w net.ipv4.conf.all.route_localnet=1

Also, don't limit your sending and receiving of 127.0.0.1 to the lo interface.

nft add rule filter input iifname != 'lo' ip saddr 127.0.0.0/8 counter drop
nft add rule filter input iifname != 'lo' ip daddr 127.0.0.0/8 counter drop

This will block communication between the localhost and the container network. Instead, match the physical interfaces explicitly, like this.

nft add rule filter input iifname eth0 ip saddr 127.0.0.0/8 counter drop
nft add rule filter input iifname eth0 ip daddr 127.0.0.0/8 counter drop
nft add rule filter input iifname eth1 ip saddr 127.0.0.0/8 counter drop
nft add rule filter input iifname eth1 ip daddr 127.0.0.0/8 counter drop

This allows the container network to communicate with localhost.

Architecture

TBD.

Miscellaneous

Known Issues

There could be an issue with checksums when using portmap plugin.

Specifically, packets would arrive to a container, but they would be disregarded and no SYN/ACK would be sent.

When running tcpdump inside a container, there is checksum error cksum 0xd776 (incorrect -> 0xd8b9).

$ tcpdump -i eth0 -vvv -nne
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:05:16.704789 ee:58:3f:4d:1f:23 > ea:56:b4:c6:4f:c7, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 63, id 8844, offset 0, flags [none], proto TCP (6), length 44)
    10.0.2.2.54017 > 10.88.0.116.80: Flags [S], cksum 0xd776 (incorrect -> 0xd8b9), seq 2337032705, win 65535, options [mss 1460], length 0

See similar issue here.

The solution is upgrading to nftables v0.9.3 (Topsy).

cni-plugins's People

Contributors

dafydd2277 avatar greenpau avatar stapelberg avatar vrischmann avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

jmanero laurentiuro idnt-devops zentriamc dafydd2277 hugmatj alekseymelikov kulakkulak25 vrga ttldev mvandermeulen simhaonline stapelberg

cni-plugins's Issues

Install instructions fail with the latest go version 1.20.1

The very first install command listed on README fails due to chances in go get command :

# go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap@latest

go: go.mod file not found in current directory or any parent directory.
        'go get' is no longer supported outside a module.
        To build and install a command, use 'go install' with a version,
        like 'go install example.com/cmd@latest'
        For more information, see https://golang.org/doc/go-get-install-deprecation
        or run 'go help get' or 'go help install'.

# go version
go version go1.20.1 linux/amd64

Resolution

go install github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap@latest
go install github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall@latest

Сannot find module

Hi. I am trying to install, but I get an

# go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap
go: downloading github.com/greenpau/cni-plugins v1.0.10
go: downloading github.com/containernetworking/cni v0.8.1
go: downloading github.com/greenpau/versioned v1.0.24
go: downloading github.com/google/nftables v0.0.0-20201230142148-715e31cb3c31
go: downloading github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
go: downloading golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
go: downloading github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f
go: downloading github.com/containernetworking/cni v1.0.0
go: downloading github.com/greenpau/versioned v1.0.26
go: downloading github.com/google/nftables v0.0.0-20210818072602-d553cd2d411d
go: downloading github.com/mdlayher/netlink v1.4.0
go: downloading golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
go: downloading github.com/mdlayher/netlink v1.4.1
go: downloading github.com/josharian/native v0.0.0-20200817173448-b6b71def0850
go: downloading github.com/google/go-cmp v0.5.4
go: downloading golang.org/x/net v0.0.0-20210614182718-04defd469f4e
go: downloading github.com/google/go-cmp v0.5.6
go: downloading github.com/koneu/natend v0.0.0-20150829182554-ec0926ea948d
go: downloading golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
go: downloading github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00
go: downloading github.com/mdlayher/socket v0.0.0-20210624160740-9dbe287ded84
github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap imports
	github.com/greenpau/cni-plugins/pkg/portmap imports
	github.com/containernetworking/cni/pkg/types/current: cannot find module providing package github.com/containernetworking/cni/pkg/types/current

# go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall
github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall imports
	github.com/greenpau/cni-plugins/pkg/firewall imports
	github.com/containernetworking/cni/pkg/types/current: cannot find module providing package github.com/containernetworking/cni/pkg/types/current

go version

go1.17 linux/amd64

go get -u github.com/greenpau/cni-plugins/cmd/cni-xxxx fails with error: cannot find package "github.com/containernetworking/cni/pkg/types/current"

┌─[spence][rhel8][~/cniplugins]
└─▪ go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap
cannot find package "github.com/containernetworking/cni/pkg/types/current" in any of:
/usr/lib/golang/src/github.com/containernetworking/cni/pkg/types/current (from $GOROOT)
/home/spence/go/src/github.com/containernetworking/cni/pkg/types/current (from $GOPATH)

Port forwarding rules are too aggressive

This is a great plug in, and I'm glad you made it.

What I'm getting is probably issue #10, but I'm not sure. On my NAT system, the nftables rules are being set up to intercept all traffic to (eg.) port 80, including traffic intended to be forwarded from the internal to the external interfaces.

Here is the relevant part of my base ruleset, with a little bit of obfuscation.

define EXT_IF = <external interface>
define INT_IF = <internal interface>

table ip filter {
  chain input {
    type filter hook input priority 0; policy drop;
    # filter rules
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    iifname $INT_IF oifname $EXT_IF counter accept
    iifname $EXT_IF oifname $INT_IF ct state related,established counter accept
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}


table ip nat {
  chain prerouting {
    type nat hook prerouting priority -100; policy accept;
  }
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname $EXT_IF counter masquerade
  }
}

Now, run a container.

# podman run -dp 80:80 docker/getting-started
746443ba846dddfadc016ab6ffda1ec44e3b083b3b25f344039db858e90d0d2f

# podman container ls
CONTAINER ID  IMAGE                                    COMMAND               CREATED         STATUS             PORTS               NAMES
746443ba846d  docker.io/docker/getting-started:latest  nginx -g daemon o...  11 seconds ago  Up 10 seconds ago  0.0.0.0:80->80/tcp  flamboyant_williamson

# podman network ls
NETWORK ID    NAME    VERSION  PLUGINS
2f259bab93aa  podman  0.4.0    bridge,cni-nftables-portmap,cni-nftables-firewall,tuning

And the diff in the ruleset.

table ip filter {
  chain forward {
    type filter hook forward priority filter; policy drop;
    jump cni-ffw-b25f344039db858e90d0d2f
    oifname "cni-podman0" ip daddr 10.88.0.11 tcp dport 80 counter accept
    iifname $INT_IF oifname $EXT_IF counter accept
    iifname $EXT_IF oifname $INT_IF ct state established,related counter accept
  }

  chain cni-ffw-b25f344039db858e90d0d2f {
    oifname "cni-podman0" ip daddr 10.88.0.11 ct state established,related counter accept
    iifname "cni-podman0" ip saddr 10.88.0.11 counter accept
    iifname "cni-podman0" oifname "cni-podman0" counter accept
  }
}
table ip nat {
  chain prerouting {
    type nat hook prerouting priority dstnat; policy accept;
    jump cni-npr-b25f344039db858e90d0d2f
  }

  chain input {
    type nat hook input priority 100; policy accept;
  }

  chain output {
    type nat hook output priority -100; policy accept;
    jump cni-npr-b25f344039db858e90d0d2f
  }

  chain postrouting {
    type nat hook postrouting priority srcnat; policy accept;
    jump cni-npo-b25f344039db858e90d0d2f
    oifname $EXT_IF counter masquerade
  }

  chain cni-npr-b25f344039db858e90d0d2f {
    iifname != "cni-podman0" tcp dport 80 dnat to 10.88.0.11:80
  }

  chain cni-npo-b25f344039db858e90d0d2f {
    iifname "cni-podman0" ip saddr 10.88.0.11 ip daddr 224.0.0.0/24 counter return
    iifname "cni-podman0" ip saddr 10.88.0.11 ip daddr 255.255.255.255 counter return
    iifname "cni-podman0" ip saddr 10.88.0.11 counter masquerade
  }
}

I think the problem is the rule

iifname != "cni-podman0" tcp dport 80 dnat to 10.88.0.11:80

This intercepts anything going to port 80, whether it's coming to this host or just passing through. If I'm on an internal system and I try http://www.google.com/ I get redirected to the container before the request ever leaves my NAT firewall.

My suggested fix is to change the conditional in the rule to something like this:

ip daddr $INT_IPADDR tcp dport 80 dnat to 10.88.0.11:80
ip daddr $EXT_IPADDR tcp dport 80 dnat to 10.88.0.11:80

The IP addresses could be acquired automatically. Or, for more user control, you could read a list added to the plugin options.

    {
      "type": "cni-nftables-firewall",
      "forward_chain_name": "forward"
      "daddr": [
        $EXT_IPADDR,
        $INT_IPADDR
      ]
    },

(I realize I probably have that syntax wrong.) This would give users a more finely grained control over how the firewall intercepts container traffic. I'm going to fork this and see how fast I can learn Go and podman container plugins.

PR: Firewall CLI has changed in Ubuntu 20.10 Groovy again, this time to ufw

Running into the issue with attaching the container to the default "podman" fails because attempts to use iptable causes the warning that saying that nftables shall be used instead of legacy iptables. The iptables cli invocation returns code is 4. From the Ubuntu Groovy release notes, I learned that the Groovy has a "newest best" firewall front-end CLI uncomplicated firewall UFW installed as a part of the standard upgrade from Ubuntu 20.04 Focal to 20.10 Groovy Gorilla
ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
with different input language.

The Podman CNI network configuration for the default "podman" network configures firewall plugin as
podman network inspect podman }, { "Documentation": "/usr/share/doc/containernetworking-plugins/meta_firewall.md", "backend": "iptables", "type": "firewall" }

Please, support Ubuntu 20.10 Groovy in CNI and allow configuration of the CNI firewall plugin as ufw.
Is it possible to deliver CNI plugins as a separate Debian or apt package to fast ring users?

nft rules redirects outgoing packets

I have following setup:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 3c:7c:3f:14:49:65 brd ff:ff:ff:ff:ff:ff
3: macvlan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 76:ba:1c:ce:93:6f brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global noprefixroute macvlan0
valid_lft forever preferred_lft forever
4: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 46:d5:4b:4b:16:23 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni0
valid_lft forever preferred_lft forever

eth0 is a master of macvlan0@eth0 interface
cni0 is podman CNI bridge interface.

I have simple container with two mappings:
382b2967e22c linuxserver/oscam 6 minutes ago Up 6 minutes ago 0.0.0.0:8888-8889->8888-8889/tcp oscam

the problem is when I do smth like telnet google.com 8888 from host-OS it gets nated to container. So, if I publish 443 port, this nft dnat all https to container.
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
jump cni-npo-e473f99609250c52ac6769b
jump cni-npo-5e8c57a9412955846493f75
}

    chain cni-npo-5e8c57a9412955846493f75 {
            iifname "cni0" ip saddr 10.88.0.9 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.9 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.9 counter packets 0 bytes 0 masquerade
    }

    chain prerouting {
            type nat hook prerouting priority dstnat; policy accept;
            jump cni-npr-e473f99609250c52ac6769b
    }

    chain output {
            type nat hook output priority -100; policy accept;
            jump cni-npr-e473f99609250c52ac6769b
    }

    chain input {
            type nat hook input priority 100; policy accept;
    }

    chain cni-npr-e473f99609250c52ac6769b {
            iifname != "cni0" tcp dport 8888 dnat to 10.88.0.10:8888
            iifname != "cni0" tcp dport 8889 dnat to 10.88.0.10:8889
    }

    chain cni-npo-e473f99609250c52ac6769b {
            iifname "cni0" ip saddr 10.88.0.10 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.10 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
            iifname "cni0" ip saddr 10.88.0.10 counter packets 0 bytes 0 masquerade
    }

}

I suspect that this is caused by cni-npr-e473f99609250c52ac6769b which should not catch ougoing host packets.

fedora build issues

fedora 33 with golang-bin, what golang devel packages do I need?

$go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap
cannot find package "github.com/containernetworking/cni/pkg/types/current" in any of:
	/usr/lib/golang/src/github.com/containernetworking/cni/pkg/types/current (from $GOROOT)
	/home/louisgtwo/go/src/github.com/containernetworking/cni/pkg/types/current (from $GOPATH)

$go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall
cannot find package "github.com/containernetworking/cni/pkg/types/current" in any of:
	/usr/lib/golang/src/github.com/containernetworking/cni/pkg/types/current (from $GOROOT)
	/home/louisgtwo/go/src/github.com/containernetworking/cni/pkg/types/current (from $GOPATH)

Can't get this plugin to work on fedora (same setup runs find with firewalld)

$ ls -lZ /usr/local/lib/cni/
total 7340
-rwxr-xr-x. 1 root root system_u:object_r:var_t:s0 3750908 Apr 17 13:47 cni-nftables-firewall
-rwxr-xr-x. 1 root root system_u:object_r:var_t:s0 3761781 Apr 17 13:41 cni-nftables-portmap

$ sudo podman inspect podman
[
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"bridge": "cni-podman0",
"ipMasq": false,
"ipam": {
"ranges": [
[
{
"gateway": "10.88.0.1",
"subnet": "10.88.0.0/16"
}
]
],
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"type": "host-local"
},
"isGateway": true,
"type": "bridge"
},
{
"capabilities": {
"portMappings": true
},
"type": "cni-nftables-portmap"
},
{
"forward_chain_name": "forward",
"type": "cni-nftables-firewall"
},
{
"type": "tuning"
}
]
}
]

Running rootless container:
$ podman run --pull=always --name "speedtest" --rm -p 8081:8080/tcp docker.io/openspeedtest/latest

$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iif "lo" accept
iif "eno2" ip protocol icmp ct state { established, new } accept
iif "eno2" ip saddr 172.16.2.0/24 tcp dport 22 ct state { established, new } accept
iif "eno2" ip saddr 172.16.2.0/24 tcp dport 8081 ct state { established, new } accept
}

chain FORWARD {
	type filter hook forward priority filter; policy drop;
}

chain OUTPUT {
	type filter hook output priority filter; policy accept;
}

}

No access to localhost ports

As I previously wrote, I have been trying to use podman on CentOS 8 running on qemu/kvm virtual machine. I removed firewalld and I use nftables directly now.

Unfortunately, I have some troubles with my nftables rules and an issue related to access to localhost ports inside the virtual machine.

When I start nginx container and try to access to localhost on 80 port, the connection hangs until I interrupt it:

# curl -vvv localhost
* Rebuilt URL to: localhost/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 80 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>

It also happens if I try to access 80 port using ip address of my virtual machine inside the VM:

# curl -vvv -4 192.168.122.101
* Rebuilt URL to: 192.168.122.101/
*   Trying 192.168.122.101...
* TCP_NODELAY set
* Connected to 192.168.122.101 (192.168.122.101) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.122.101
> User-Agent: curl/7.61.1
> Accept: */*
>

Outside the VM, I can access the container's port without any problem (If I remove the reject rule from the forward chain of the inet filter table, of course):

$ curl 192.168.122.101
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

When I stop nginx container, install package with another webserver on the virtual machine and then try to access 80 port on localhost inside the VM, I reach it successfully:

# curl localhost
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
  <title>Powered by lighttpd</title>
  <link rel="shortcut icon" href="favicon.ico" />
  <link rel="icon" href="favicon.ico" />
  <style type="text/css">
    <!--
      body { background: white; color: #666f85; text-align: center }
      img  { border: none }
    -->
  </style>
</head>
<body>

<p>
<img src="light_logo.png" width="249" height="239" alt="LIGHTTPD - fly light." />
</p>

<p>
<img src="poweredby.png" width="88" height="31" alt="Powered by GNU/Linux" />
<br />
<a href="http://www.lighttpd.net/"><img src="light_button.png" width="80" height="27" alt="Powered by Lighttpd" /></a>
</p>

</body>
</html>

I didn't create another CentOS 8 VM with default configuration running firewalld to test the access to localhost ports. But I use firewalld and podman in Fedora 32 on my home machine and I can access 80 port on localhost running the same nginx container.

It looks like there is an issue with rules set by CNI plugins.

This is a listing of my nftables ruleset when container is running:

# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		ct state established,related counter packets 86867 bytes 92621887 accept
		meta l4proto { icmp, ipv6-icmp } counter packets 4173 bytes 305844 accept
		iif "lo" counter packets 2746 bytes 285833 accept
		ip6 saddr fe80:: ip6 daddr fe80:: udp sport 547 udp dport 546 ct state new counter packets 0 bytes 0 accept
		tcp dport 22 ct state new counter packets 0 bytes 0 accept
		tcp dport 80 ct state new counter packets 15 bytes 900 accept
		tcp dport 443 ct state new counter packets 0 bytes 0 accept
		counter packets 1951 bytes 346572 reject with icmpx type admin-prohibited
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		jump cni-npo-50795b7a600c9b95c61de4b
	}

	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		jump cni-npr-50795b7a600c9b95c61de4b
	}

	chain output {
		type nat hook output priority -100; policy accept;
	}

	chain input {
		type nat hook input priority 100; policy accept;
	}

	chain cni-npr-50795b7a600c9b95c61de4b {
		iifname != "cni-podman0" tcp dport 80 dnat to 10.88.2.129:80
	}

	chain cni-npo-50795b7a600c9b95c61de4b {
		iifname "cni-podman0" ip saddr 10.88.2.129 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		iifname "cni-podman0" ip saddr 10.88.2.129 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		iifname "cni-podman0" ip saddr 10.88.2.129 counter packets 0 bytes 0 masquerade
	}
}
table ip raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}
table ip filter {
	chain forward {
		type filter hook forward priority filter; policy drop;
		jump cni-ffw-50795b7a600c9b95c61de4b
		oifname "cni-podman0" ip daddr 10.88.2.129 tcp dport 80 counter packets 3 bytes 180 accept
		log prefix "ip4 forward drop: "
		counter packets 0 bytes 0 drop
	}

	chain cni-ffw-50795b7a600c9b95c61de4b {
		oifname "cni-podman0" ip daddr 10.88.2.129 ct state established,related counter packets 30 bytes 3106 accept
		iifname "cni-podman0" ip saddr 10.88.2.129 counter packets 27 bytes 4594 accept
		iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept
	}
}
table ip6 nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		jump cni-npo-50795b7a600c9b95c61de4b
	}

	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		jump cni-npr-50795b7a600c9b95c61de4b
	}

	chain output {
		type nat hook output priority -100; policy accept;
	}

	chain input {
		type nat hook input priority 100; policy accept;
	}

	chain cni-npr-50795b7a600c9b95c61de4b {
		iifname != "cni-podman0" tcp dport 80 dnat to [fd10:88:7334:6d55::1e]:80
	}

	chain cni-npo-50795b7a600c9b95c61de4b {
		iifname "cni-podman0" ip6 saddr fd10:88:7334:6d55::1e ip6 daddr fd10:88:7334:6d55::1e counter packets 0 bytes 0 return
	}
}
table ip6 raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}
table ip6 filter {
	chain forward {
		type filter hook forward priority filter; policy drop;
		jump cni-ffw-50795b7a600c9b95c61de4b
		oifname "cni-podman0" ip6 daddr fd10:88:7334:6d55::1e tcp dport 80 counter packets 0 bytes 0 accept
		log prefix "ip6 forward drop: "
		counter packets 0 bytes 0 drop
	}

	chain cni-ffw-50795b7a600c9b95c61de4b {
		oifname "cni-podman0" ip6 daddr fd10:88:7334:6d55::1e ct state established,related counter packets 0 bytes 0 accept
		iifname "cni-podman0" ip6 saddr fd10:88:7334:6d55::1e counter packets 0 bytes 0 accept
		iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept
	}
}

This is my CNI configuration:

# podman network inspect podman
[
	{
		"cniVersion": "0.4.0",
		"name": "podman",
		"plugins": [
			{
				"bridge": "cni-podman0",
				"hairpinMode": true,
				"ipMasq": false,
				"ipam": {
					"ranges": [
						[
							{
								"gateway": "10.88.0.1",
								"subnet": "10.88.0.0/16"
							}
						],
						[
							{
								"gateway": "fd10:88:7334:6d55::1",
								"subnet": "fd10:88:7334:6d55::/64"
							}
						]
					]
					"routes": [
						{
							"dst": "0.0.0.0/0"
						},
						{
							"dst": "::/0"
						}
					],
					"type": "host-local"
				},
				"isGateway": true,
				"type": "bridge"
			},
			{
				"capabilities": {
					"portMappings": true
				},
				"type": "cni-nftables-portmap"
			},
			{
				"forward_chain_name": "forward",
				"type": "cni-nftables-firewall"
			},
			{
				"type": "tuning"
			}
		]
	}
]

Podman version and system info:

# podman version
Version:            1.6.4
RemoteAPI Version:  1
Go Version:         go1.13.4
OS/Arch:            linux/amd64

# podman system info
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.6-1.module_el8.2.0+304+65a3c2ac.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.6, commit: bc11c2e39bf61429aafb5d131e709a970036be24'
  Distribution:
    distribution: '"centos"'
    version: "8"
  MemFree: 1064951808
  MemTotal: 1915486208
  OCIRuntime:
    name: runc
    package: runc-1.0.0-64.rc10.module_el8.2.0+304+65a3c2ac.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 1073737728
  SwapTotal: 1073737728
  arch: amd64
  cpus: 2
  eventlogger: journald
  hostname: centos8.lan
  kernel: 4.18.0-193.19.1.el8_2.x86_64
  os: linux
  rootless: false
  uptime: 57h 7m 31.46s (Approximately 2.38 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - quay.io
  - registry.access.redhat.com
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 3
  GraphDriverName: overlay
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 5
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Build fails due to failing import github.com/containernetworking/cni/pkg/types/current

Hi,

It seems that the folder "current" in import path "github.com/containernetworking/cni/pkg/types/current" is no longer available in the containernetworking repo, and as such, the build fails.

go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap
package github.com/containernetworking/cni/pkg/types/current: cannot find package "github.com/containernetworking/cni/pkg/types/current" in any of:
        /usr/lib/golang/src/github.com/containernetworking/cni/pkg/types/current (from $GOROOT)
        /home/<OBFUSCATED>/go/src/github.com/containernetworking/cni/pkg/types/current (from $GOPATH)

Importing github.com/containernetworking/cni/pkg/types/types040 instead of github.com/containernetworking/cni/pkg/types/current and changing in-code references to current into types040 fixed the issue and allowed the build to finish.

-Atte

Cannot find package

While trying to go get the portmap and firewall plugins, I get the following:

$ go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap
cannot find package "github.com/containernetworking/cni/pkg/types/current" in any of:
	/usr/lib/go-1.15/src/github.com/containernetworking/cni/pkg/types/current (from $GOROOT)
	/home/bhundven/go/src/github.com/containernetworking/cni/pkg/types/current (from $GOPATH)

That path doesn't seem to exist anymore. I think this needs to change to 1.0.0: github.com/containernetworking/cni/pkg/types/100

Does not build

Hi,

While trying to compile the plugins, I get the following error:

# go get -u github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall@latest
go get: github.com/greenpau/cni-plugins@none updating to
        github.com/greenpau/[email protected] requires
        github.com/google/[email protected] requires
        github.com/koneu/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /root/go/pkg/mod/cache/vcs/1a9251955b480a9a40583c1db9751cccef97993062f8285e6f0904b90d80152a: exit status 128:
        fatal: could not read Username for 'https://github.com': terminal prompts disabled

The repository at github.com/koneu/natend has been deleted and the dependency on it has been removed in newer versions of google/nftables 1.
Please update this repository's dependencies.

Regards,
François

Support for RHEL 8.7?

I'm unable to get this working in RHEL 8.7.
Is it even possible?
I followed the instructions from https://github.com/greenpau/cni-plugins#getting-started (instead of go get I had to run go install)
I cannot see that the cni-plugin gets loaded.
The directory /usr/local/lib/cni/ didn't exist for me - so I created it as root.

podman network inspect podman
WARN[0000] Failed to unmount check directory /home/4conf/.local/share/containers/storage/overlay/opaque-bug-check19536174/merged: device or resource b
usy 
WARN[0000] Failed to remove check directory /home/4conf/.local/share/containers/storage/overlay/opaque-bug-check19536174: unlinkat /home/4conf/.local/
share/containers/storage/overlay/opaque-bug-check19536174: directory not empty 
[
     {
          "name": "podman",
          "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
          "driver": "bridge",
          "network_interface": "cni-podman0",
          "created": "2023-02-20T09:19:22.809445058Z",
          "subnets": [
               {
                    "subnet": "10.88.0.0/16",
                    "gateway": "10.88.0.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

podman network ls
NETWORK ID    NAME        DRIVER
2f259bab93aa  podman      bridge

Containers with network always fail to start with this error:

WARN[0000] Failed to load cached network config: network 4conform-enterprise-deployment-tools_4conform-frontend not found in CNI cache, falling back t
o loading network 4conform-enterprise-deployment-tools_4conform-frontend from disk 
Error: unable to start container 54e78abb4cb4e6e0f877caf13635b01bc4b27b61c16b4ff35ca6a0e86e986fb6: plugin type="firewall" failed (add): cni plugin fir
ewall failed: failed to list iptables chains: running [/sbin/iptables -t filter -S --wait]: exit status 1: iptables v1.8.4 (nf_tables): table `filter'
 is incompatible, use 'nft' tool.

Related: containers/podman#5569

No access from container to container via host ip

Hi. Thanks for your work supporting nftables in CNI plugins.

We use nomad, docker and CNI. We are having problems accessing from a container to another container via host ip.

For example, if execute in a container

$ curl HOST_IP:9090
curl: (7) Failed to connect to HOST_IP port 9090: Connection refused

If execute on the host, then ok

$ curl 10.88.0.54:9090
<a href="/graph">Found</a>.

CNI settings

{
  "cniVersion": "0.4.0",
  "name": "mynet",
  "plugins": [
    {
      "type": "bridge",
      "bridge": "mynet0",
      "isGateway": true,
      "ipMasq": false,
      "ipam": {
        "type": "host-local",
        "routes": [
          {
            "dst": "0.0.0.0/0"
          }
        ],
        "ranges": [
          [
            {
              "subnet": "10.88.0.0/16",
              "gateway": "10.88.0.1"
            }
          ]
        ]
      }
    },
    {
      "type": "cni-nftables-portmap",
      "capabilities": {
        "portMappings": true
      }
    },
    {
      "type": "cni-nftables-firewall",
      "forward_chain_name": "forward"
    }
  ]
}

sysctl

$ sysctl -a | grep net.ipv4.conf.all.route_localnet
net.ipv4.conf.all.route_localnet = 1

Nftables rules

table ip filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump cni-ffw-f207c1a2a8709f670b8b03f
		oifname "mynet0" ip daddr 10.88.0.54 udp dport 9090 counter packets 0 bytes 0 accept
		oifname "mynet0" ip daddr 10.88.0.54 tcp dport 9090 counter packets 7 bytes 388 accept
		jump cni-ffw-05073c0b0d1d279a0b103db
		oifname "mynet0" ip daddr 10.88.0.53 udp dport 5432 counter packets 0 bytes 0 accept
		oifname "mynet0" ip daddr 10.88.0.53 tcp dport 5432 counter packets 4 bytes 220 accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}

	chain cni-ffw-05073c0b0d1d279a0b103db {
		oifname "mynet0" ip daddr 10.88.0.53 ct state established,related counter packets 486 bytes 11358135 accept
		iifname "mynet0" ip saddr 10.88.0.53 counter packets 332 bytes 21999 accept
		iifname "mynet0" oifname "mynet0" counter packets 0 bytes 0 accept
	}

	chain cni-ffw-f207c1a2a8709f670b8b03f {
		oifname "mynet0" ip daddr 10.88.0.54 ct state established,related counter packets 643 bytes 39798 accept
		iifname "mynet0" ip saddr 10.88.0.54 counter packets 936 bytes 2442404 accept
		iifname "mynet0" oifname "mynet0" counter packets 3 bytes 180 accept
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		jump cni-npo-f207c1a2a8709f670b8b03f
		jump cni-npo-05073c0b0d1d279a0b103db
	}

	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 10.17.0.1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 172.16.0.2 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr HOST_IP1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr HOST_IP1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 127.0.0.1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 10.17.0.1 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr 172.16.0.2 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr HOST_IP1 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr HOST_IP2 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr 127.0.0.1 jump cni-npr-05073c0b0d1d279a0b103db
	}

	chain output {
		type nat hook output priority -100; policy accept;
		ip daddr 10.17.0.1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 172.16.0.2 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr HOST_IP1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr HOST_IP2 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 127.0.0.1 jump cni-npr-f207c1a2a8709f670b8b03f
		ip daddr 10.17.0.1 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr 172.16.0.2 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr HOST_IP1 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr HOST_IP2 jump cni-npr-05073c0b0d1d279a0b103db
		ip daddr 127.0.0.1 jump cni-npr-05073c0b0d1d279a0b103db
	}

	chain input {
		type nat hook input priority 100; policy accept;
	}

	chain cni-npr-05073c0b0d1d279a0b103db {
		iifname != "mynet0" tcp dport 5432 dnat to 10.88.0.53:5432
		iifname != "mynet0" udp dport 5432 dnat to 10.88.0.53:5432
	}

	chain cni-npo-05073c0b0d1d279a0b103db {
		oifname "mynet0" ip daddr 10.88.0.53 counter packets 4 bytes 220 masquerade
		iifname "mynet0" ip saddr 10.88.0.53 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		iifname "mynet0" ip saddr 10.88.0.53 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		iifname "mynet0" ip saddr 10.88.0.53 counter packets 19 bytes 1281 masquerade
	}

	chain cni-npr-f207c1a2a8709f670b8b03f {
		iifname != "mynet0" tcp dport 9090 dnat to 10.88.0.54:9090
		iifname != "mynet0" udp dport 9090 dnat to 10.88.0.54:9090
	}

	chain cni-npo-f207c1a2a8709f670b8b03f {
		oifname "mynet0" ip daddr 10.88.0.54 counter packets 11 bytes 628 masquerade
		iifname "mynet0" ip saddr 10.88.0.54 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		iifname "mynet0" ip saddr 10.88.0.54 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		iifname "mynet0" ip saddr 10.88.0.54 counter packets 0 bytes 0 masquerade
	}
}
table ip raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}

We found that if change the chain cni-npr-f207c1a2a8709f670b8b03f to

	chain cni-npr-f207c1a2a8709f670b8b03f {
		tcp dport 9090 dnat to 10.88.0.54:9090
		iifname != "mynet0" tcp dport 9090 dnat to 10.88.0.54:9090
		iifname != "mynet0" udp dport 9090 dnat to 10.88.0.54:9090
	}

that is, adding dnat without iifname != "mynet0" then the connection from container to container via the host IP address is successful.

$ curl HOST_IP:9090
<a href="/graph">Found</a>.

Unable to reject forwarding without rules set by plugins

Hello!

I have been trying to use podman on CentOS 8 running on qemu/kvm virtual machine. I removed firewalld and I use nftables directly now.

Thank you for your plugins, they work very well in general, but I have some troubles with my nftables rules and an issue regarding access to localhost ports on the VM.

For testing purposes I use simple ruleset containing inet filter table:

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
                meta l4proto { icmp, ipv6-icmp } accept
                iif "lo" accept 
                ip6 saddr fe80:: ip6 daddr fe80:: udp sport 547 udp dport 546 ct state new accept
                tcp dport 22 ct state new accept
                tcp dport 80 ct state new accept
                tcp dport 443 ct state new accept
                reject with icmpx type admin-prohibited
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                reject with icmpx type admin-prohibited
        }
        chain output {
                type filter hook output priority filter; policy accept;
        }
}

But when I run pod or container using podman the collision with rules set by plugins appears, because forward chains in ip filter and ip6 filter tables are placed after inet filter table:

table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		jump cni-npo-50795b7a600c9b95c61de4b
	}
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		jump cni-npr-50795b7a600c9b95c61de4b
	}
	chain output {
		type nat hook output priority -100; policy accept;
	}
	chain input {
		type nat hook input priority 100; policy accept;
	}
	chain cni-npr-50795b7a600c9b95c61de4b {
		iifname != "cni-podman0" tcp dport 80 dnat to 10.88.2.129:80
	}
	chain cni-npo-50795b7a600c9b95c61de4b {
		iifname "cni-podman0" ip saddr 10.88.2.129 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		iifname "cni-podman0" ip saddr 10.88.2.129 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		iifname "cni-podman0" ip saddr 10.88.2.129 counter packets 0 bytes 0 masquerade
	}
}
table ip raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}
table ip filter {
	chain forward {
		type filter hook forward priority filter; policy drop;
		jump cni-ffw-50795b7a600c9b95c61de4b
		oifname "cni-podman0" ip daddr 10.88.2.129 tcp dport 80 counter packets 2 bytes 120 accept
		log prefix "ip4 forward drop: "
		counter packets 0 bytes 0 drop
	}
	chain cni-ffw-50795b7a600c9b95c61de4b {
		oifname "cni-podman0" ip daddr 10.88.2.129 ct state established,related counter packets 24 bytes 2715 accept
		iifname "cni-podman0" ip saddr 10.88.2.129 counter packets 22 bytes 3476 accept
		iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept
	}
}
table ip6 nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		jump cni-npo-50795b7a600c9b95c61de4b
	}
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		jump cni-npr-50795b7a600c9b95c61de4b
	}
	chain output {
		type nat hook output priority -100; policy accept;
	}
	chain input {
		type nat hook input priority 100; policy accept;
	}
	chain cni-npr-50795b7a600c9b95c61de4b {
		iifname != "cni-podman0" tcp dport 80 dnat to [fd10:88:7334:6d55::1e]:80
	}
	chain cni-npo-50795b7a600c9b95c61de4b {
		iifname "cni-podman0" ip6 saddr fd10:88:7334:6d55::1e ip6 daddr fd10:88:7334:6d55::1e counter packets 0 bytes 0 return
	}
}
table ip6 raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}
table ip6 filter {
	chain forward {
		type filter hook forward priority filter; policy drop;
		jump cni-ffw-50795b7a600c9b95c61de4b
		oifname "cni-podman0" ip6 daddr fd10:88:7334:6d55::1e tcp dport 80 counter packets 0 bytes 0 accept
		log prefix "ip6 forward drop: "
		counter packets 0 bytes 0 drop
	}
	chain cni-ffw-50795b7a600c9b95c61de4b {
		oifname "cni-podman0" ip6 daddr fd10:88:7334:6d55::1e ct state established,related counter packets 0 bytes 0 accept
		iifname "cni-podman0" ip6 saddr fd10:88:7334:6d55::1e counter packets 0 bytes 0 accept
		iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept
	}
}

If I run the nginx container with podman run -dt --name nginx-test --rm --publish 80:80 docker.io/library/nginx:stable, I'm unable to connect to the container's 80 port using ip address of the virtual machine.

When I remove the reject rule from the forward chain of the inet filter table, chains in ip filter and ip6 filter tables work as expected. In that case if I run nginx container, I have a connection to the container and I can see nginx default page.

But in that case I have to always have a running pod or container, because the ruleset doesn't have any reject rule regarding forwarding if plugin rules are not applied.

I confused a bit that my ruleset needs changes to work with podman and don't work properly if I don't start any container. I think I should to change the priority of my forward chain for applying it after the plugins' forward chains. But maybe there is another solution?

It seems that applying of plugins rules without manual rewriting existing rules would be a better solution.

This is my CNI configuration:

# podman network inspect podman
[
	{
		"cniVersion": "0.4.0",
		"name": "podman",
		"plugins": [
			{
				"bridge": "cni-podman0",
				"hairpinMode": true,
				"ipMasq": false,
				"ipam": {
					"ranges": [
						[
							{
								"gateway": "10.88.0.1",
								"subnet": "10.88.0.0/16"
							}
						],
						[
							{
								"gateway": "fd10:88:7334:6d55::1",
								"subnet": "fd10:88:7334:6d55::/64"
							}
						]
					]
					"routes": [
						{
							"dst": "0.0.0.0/0"
						},
						{
							"dst": "::/0"
						}
					],
					"type": "host-local"
				},
				"isGateway": true,
				"type": "bridge"
			},
			{
				"capabilities": {
					"portMappings": true
				},
				"type": "cni-nftables-portmap"
			},
			{
				"forward_chain_name": "forward",
				"type": "cni-nftables-firewall"
			},
			{
				"type": "tuning"
			}
		]
	}
]

Podman version and system info:

# podman version
Version:            1.6.4
RemoteAPI Version:  1
Go Version:         go1.13.4
OS/Arch:            linux/amd64

# podman system info
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.6-1.module_el8.2.0+304+65a3c2ac.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.6, commit: bc11c2e39bf61429aafb5d131e709a970036be24'
  Distribution:
    distribution: '"centos"'
    version: "8"
  MemFree: 1064951808
  MemTotal: 1915486208
  OCIRuntime:
    name: runc
    package: runc-1.0.0-64.rc10.module_el8.2.0+304+65a3c2ac.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 1073737728
  SwapTotal: 1073737728
  arch: amd64
  cpus: 2
  eventlogger: journald
  hostname: centos8.lan
  kernel: 4.18.0-193.19.1.el8_2.x86_64
  os: linux
  rootless: false
  uptime: 57h 7m 31.46s (Approximately 2.38 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - quay.io
  - registry.access.redhat.com
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 3
  GraphDriverName: overlay
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 5
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.