Red Hat SummitChapter 11. Setting container network modes
You can configure container network modes by using Podman to define how your workloads communicate with the host and external networks. Selecting the appropriate networking environment ensures optimal performance and security isolation tailored to your specific application requirements.
11.1. Running containers with a static IP
Assign a specific IP address to a container by using the --ip option. This helps ensure consistent network addressing for services that require fixed IPs.
The podman run command with the --ip option sets the container network interface to a particular IP address, for example, 10.88.0.44. To verify that you set the IP address correctly, run the podman inspect command.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Set the container network interface to the IP address 10.88.0.44:
# podman run -d --name=myubi --ip=10.88.0.44 registry.access.redhat.com/ubi10/ubi efde5f0a8c723f70dd5cb5dc3d5039df3b962fae65575b08662e0d5b5f9fbe85
Verification
Check that the IP address is set properly:
# podman inspect --format='{{.NetworkSettings.IPAddress}}' myubi 10.88.0.44
11.2. Running the DHCP plugin for Netavark using systemd
You can run the DHCP plugin for Netavark as a systemd service to enable dynamic IP addressing for your containers. By operating this plugin as a persistent service ensures that containerized workloads maintain consistent network connectivity automatically.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Enable the DHCP proxy by using the systemd socket:
systemctl enable --now netavark-dhcp-proxy.socket Created symlink /etc/systemd/system/sockets.target.wants/netavark-dhcp-proxy.socket/usr/lib/systemd/system/netavark-dhcp-proxy.socket. Optional: Display the socket unit file:
# cat /usr/lib/systemd/system/netavark-dhcp-proxy.socket [Unit] Description=Netavark DHCP proxy socket [Socket] ListenStream=%t/podman/nv-proxy.sock SocketMode=0660 [Install] WantedBy=sockets.targetCreate a macvlan network and specify your host interface with it. Typically, it is your external interface:
# podman network create -d macvlan --interface-name <LAN_INTERFACE> mv1 mv1Run the container by using newly created network:
# podman run --rm --network mv1 -d --name test alpine top 894ae3b6b1081aca2a5d90a9855568eaa533c08a174874be59569d4656f9bc45
Verification
Confirm the container has an IP on your local subnet:
# podman exec test ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 5a:30:72:bf:13:76 brd ff:ff:ff:ff:ff:ff inet 192.168.188.36/24 brd 192.168.188.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::5830:72ff:febf:1376/64 scope link valid_lft forever preferred_lft foreverInspect the container to verify it uses correct IP addresses:
# podman container inspect test --format {{.NetworkSettings.Networks.mv1.IPAddress}} 192.168.188.36
When attempting to connect to this IP address, ensure the connection is made from a different host. Connections from the same host are not supported when using macvlan networking.
11.3. The MacVLAN plugin
You can connect containers directly to a physical network interface by using the macvlan plugin. This allows containers to appear as physical devices on the network.
Most of the container images do not have a DHCP client, the dhcp plugin acts as a proxy DHCP client for the containers to interact with a DHCP server.
The host system does not have network access to the container. To allow network connections from outside the host to the container, the container has to have an IP on the same network as the host. With the macvlan plugin, you can connect a container to the same network as the host. This only applies to rootfull containers. Rootless containers are not able to use the macvlan and dhcp plugins.
You can create a MacVLAN network by using the podman network create --driver=macvlan command.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}