在OpenWRT上运行Podman

IT天地, ,

折腾Podman的原因是:Dockerd与Tproxy运行在同一台机器上有冲突,导致Tproxy透明代理失效。此文章用于记录此配置过程。

设备信息:

root@r5c:~# ubus call system board
{
        "kernel": "6.6.69",
        "hostname": "r5c",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5C",
        "board_name": "friendlyarm,nanopi-r5c",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0-rc5",
                "revision": "r28304-6dacba30a7",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.0-rc5 r28304-6dacba30a7",
                "builddate": "1736026537"
        }
}

 

安装Podman

opkg install conmon crun catatonit netavark podman external-protocol kmod-macvlan

请注意安装kmod-macvlan这个包,这是用于给容器创建单独的vlan网络。

 

配置OpenWRT macvlan网络

/etc/config/network相关配置如下:

config interface 'docker102'
option proto 'static'
option device 'br-lan.102'
option ipaddr '10.0.102.1'
option netmask '255.255.255.0'
option ip6assign '60'
list ip6class 'local'
option ip6hint 'd0c0'

config device
option type 'macvlan'
option ifname 'br-lan'
option mode 'bridge'
option name 'br-lan.102'
option acceptlocal '1'
option macaddr 'EA:02:06:1F:36:C3'

从 LUCI -> 网络 -> 接口 看到如下:

从 LUCI -> 网络 -> 设备 看到如下:

/etc/config/firewall相关配置如下:

config zone
option name 'docker102'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'docker102'

config forwarding
option src 'docker102'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'docker102'

 

配置Podman网络

创建一个名为docker102的macvlan网络,接口为刚在OpenWRT创建的br-lan.102。

podman network create -d macvlan -o parent=br-lan.102 --ipv6 --gateway fde7:751f:4185:d0c0::1 --subnet fde7:751f:4185:d0c0::/60 --gateway 10.0.102.1 --subnet 10.0.102.0/24 docker102

查看/etc/containers/networks/docker102.json:

root@r5c:~# cat /etc/containers/networks/docker102.json
{
"name": "docker102",
"id": "5dea5c95c00e177887b4fead3a35eb2a3b9174d91b7382c0b2b3885a373edb81",
"driver": "macvlan",
"network_interface": "br-lan.102",
"created": "2025-01-13T16:02:12.070370904Z",
"subnets": [
{
"subnet": "10.0.102.0/24",
"gateway": "10.0.102.1"
},
{
"subnet": "fde7:751f:4185:d0c0::/60",
"gateway": "fde7:751f:4185:d0c0::1"
}
],
"ipv6_enabled": true,
"internal": false,
"dns_enabled": false,
"ipam_options": {
"driver": "host-local"
}
}

 

配置Podman

编辑/etc/containers/containers.conf:

#只需更改两项
[network]
firewall_driver = "none" #禁止podman修改openwrt防火墙配置
default_network = "docker102" #设置默认网络为我们创建的docker102

编辑/etc/containers/storage.conf:

[storage]
graphroot = "/opt/lib/containers/storage" #默认在/var/lib,设备重启将丢失已安装的容器

 

启动Podman容器

root@r5c:~# podman run --rm -it jonlabelle/network-tools
✔ docker.io/jonlabelle/network-tools:latest
Trying to pull docker.io/jonlabelle/network-tools:latest...
Getting image source signatures
Copying blob db5c77ca555f done   | 
Copying blob 52f827f72350 done   | 
Copying config 1cb1759421 done   | 
Writing manifest to image destination

[network-tools]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 22:a8:cc:7a:a4:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.102.6/24 brd 10.0.102.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fde7:751f:4185:d0c0::7/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20a8:ccff:fe7a:a4b2/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

[network-tools]$ ping -c 3 www.he.net
PING he.net (216.218.236.2) 56(84) bytes of data.
64 bytes from he.net (216.218.236.2): icmp_seq=1 ttl=52 time=267 ms
64 bytes from he.net (216.218.236.2): icmp_seq=2 ttl=52 time=266 ms
64 bytes from he.net (216.218.236.2): icmp_seq=3 ttl=52 time=267 ms

--- he.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 266.450/266.687/267.003/0.232 ms

[network-tools]$ ping -c 3 -6 www.he.net
PING www.he.net (2001:470:0:503::2) 56 data bytes
64 bytes from he.net (2001:470:0:503::2): icmp_seq=1 ttl=52 time=169 ms
64 bytes from he.net (2001:470:0:503::2): icmp_seq=2 ttl=52 time=169 ms
64 bytes from he.net (2001:470:0:503::2): icmp_seq=3 ttl=52 time=169 ms

--- www.he.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 168.975/169.066/169.139/0.068 ms

 

相关参考文章:
OpenWrt as Docker container host
OpenWRT Raspberry Pi Docker & VLAN Project
How to configure Podman 4.0 for IPv6
Basic Networking Guide for Podman
Experimental Docker Libnetwork DHCP Driver
https://github.com/containers/common/blob/main/pkg/config/containers.conf
https://github.com/containers/podman/issues/21194

Leave a Reply

Your email address will not be published. Required fields are marked *