How do I configure rootless containers so that they can reach the host?

Question

I'm trying out podman as an alternative to docker and I'm having an issue where I can't seem to reach the host from my containers.

Normally in docker, I'd point anything that wants to talk to the host to 172.17.0.1, but that address doesn't seem to be working with rootless podman.

It's possible that there's something very basic that I'm missing here...

Answer 1

Update 12 January 2024

Use the option --network=pasta:--map-gw if you use the pasta network driver. Soon pasta will become the default network driver in Podman instead of slirp4netns (see Jira issue RUN-1953).

Old answer

Use the option --network slirp4netns:allow_host_loopback=true

Here is an example:

Open two terminal windows.

In terminal 1 run these commands to start a web server listening on port 8080 on the host

$ mkdir dir
$ echo hello > dir/file.txt
$ cd dir
$ python3 -m http.server --bind 127.0.0.1 8080
Serving HTTP on 127.0.0.1 port 8080 (http://127.0.0.1:8080/) ...

In terminal 2 download the file file.txt with rootless Podman

$ podman run \
    --rm \
    --network slirp4netns:allow_host_loopback=true \
    docker.io/library/fedora \
      curl -s 10.0.2.2:8080/file.txt
hello

In terminal 1 this line was printed

127.0.0.1 - - [26/Nov/2022 08:27:54] "GET /file.txt HTTP/1.1" 200 -

About the system

$ podman --version
podman version 4.3.1
$ cat /etc/fedora-release 
Fedora release 37 (Thirty Seven)
$ 

References

Quote from the podman run man page:

allow_host_loopback=true|false: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false.

Answer 2

Erik's answer is correct. However, it is good to understand that containers attached to host network with --network=host have access to any service that is attached to the host's local loopback address.

If this is not OK for you, one workaround is to:

1. Setup a dummy interface with IP xx.yy.zz.kk/32 and a route (ip link add or with netplan)
2. Define outbound_addr=xx.yy.zz.kk in .config/containers/containers.conf
3. Create firewall rules to limit access service bound to the host's local loopback address
4. Create a firewall rule to masquerade the xx.yy.zz.kk IP if the container needs to connect outside the host

Create dummy interface

Manually

# load kernel module for dummy interface
modprobe dummy

# Create virtual interface
ip link add dm0 type dummy

# Add IP address
ip address add 192.168.50.1/32 dev dm0

# Add route
route add 192.168.50.1 dev dm0

With netplan

For systems using netplan edit /etc/netplan/netplan.yaml

network:
  version: 2
  renderer: networkd  
  dummy-devices:
    dm0:
      optional: true
      addresses:
        - 192.168.50.1/32

and run netplan try.

Configure slirp4netns

Set outbound_addr in ~/.config/containers/containers.conf for the podman user. The pod's traffic will now appear to come from the set IP.

[engine]
network_cmd_options=["allow_host_loopback=true", "enable_ipv6=false", "outbound_addr=192.168.50.1"]

Firewall rules

The traffic from pods will come through local loopback device (dev lo in nftables), but with the set IP.

Filter the traffic from the pod's IP

E.g. allow access only to TCP port 9100. (these are just an example).

table ip filter {
  chain input {
    type filter hook input priority 0; policy drop;

    ct state vmap { established : accept, related : accept, invalid : drop}

    # loopback interface, notice the additional "saddr" specifier
    iifname lo ip saddr 127.0.0.0/8 accept comment "accept loopback"
    ip saddr 192.168.50.1 tcp dport 9100  accept
    ip saddr 192.168.50.1 drop
   }
}

Add masquerade

table ip nat {

  chain postrouting {
   type nat hook postrouting priority 100 ;
   ip saddr $net_pods oif $eth_lan masquerade
  }    
} # table NAT