-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host unreachable from container with bridge network on Podman v5 #22653
Comments
Can you provide a |
@mheon sure. See below
|
I am experiencing the same issue. I am not able to connect to any port that is in use on the host. I am able to ping the host. I am also able to connect to a port that is exposed by another container. This is inside the container.
|
Can you try the 5.0 install with a container created with the |
@mheon Yep. |
@Luap99 Are we aware of this one on the Pasta side, or is this new? |
I was also using pasta before on 4.x. I upgraded from fredora 39 to 40 and podman 4.x to 5.x. pasta is set in the ~/.config/containers/containers.conf. ~/.config/containers/containers.conf
Without the pasta_options set it also fails to connect. |
i am experiencing the same issue, how to fix it? |
Experiencing the same issue here. My container host updated from CoreOS 39 to 40 yesterday. I run a certificate authority container with host network mode, and a Traefik container that is connected to a bridge network and an internal network that has all of the backend services connected for proxying through Traefik. After the update, Traefik gets connection refused when trying to connect to the CA container on the host network. |
I am not sure if this is the exact same issue. Whether I use bridge or host networking, some containers are not accessible using the host IP but they are using the container IP. For example, running nginx on 443 will result in connection refused using host IP and succeeds using the container IP regardless if I'm using host network or bridge with port mapping. Now the interesting part, I reboot the host and the problem switches to a different set of containers that become inaccessible using the host IP while the nginx starts working. Each reboot seems to transfer the problem to a different container, I haven't figured out any pattern.
Could be a different issue though as I may have had the issue on podman 4.X before upgrading. No system firewall is enabled.
Edit: I should add containers are being run from root user / systemd. |
Yes I know this, these are two issues really. Second, bridge as rootless adds the wrong host.containers.internal ip. I fixed it for |
Maybe the work in progress to make forwarding more flexible will make this less of a problem, as we'll probably be able to say stuff like "splice container socket to host socket connected to port 5000 and source 2001:fd8::1`. But anyway, it's not necessarily going to be magic and intuitive, so, let's consider the current situation, as it won't be necessarily very different with this regard. There are pretty much five ways to connect to a service running on the host, with pasta:
I think it would help if we pick one of those as recommended solution, eventually. |
I am going with |
That is what the code is supposed to do today when trying to create a ip for host.containers.internal, however for the bridge network mode it does not work currently. I try to fix this part. However I think the actual issue is still #19213, we need a way to map a arbitrary ip in the netns to the host ip and than expose it as host.containers.internal to the container. |
...that is, just like |
Yes it is important that the address is not localhost, it must be impossible for such a mapping to reach the hosts localhost address, it must only work for services listing on the external interface. |
I faced an issue with I have a pod that runs a container with a This
|
@dimazest I don't see how this is related to this issue here? |
We have to exclude the ips in the rootless netns as they are not the host. Now that fix only works if there are more than one ip one the host available, if there is only one we do not set the entry at all which I consider better as failing to resolve this name is a much better error for users than connecting to a wrong ip. It also matches what --network pasta already does. Fixes containers#22653 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We have to exclude the ips in the rootless netns as they are not the host. Now that fix only works if there are more than one ip one the host available, if there is only one we do not set the entry at all which I consider better as failing to resolve this name is a much better error for users than connecting to a wrong ip. It also matches what --network pasta already does. The test is bit more compilcated as I would like, however it must deal with both cases one ip, more than one so there is no way around it I think. Fixes containers#22653 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We have to exclude the ips in the rootless netns as they are not the host. Now that fix only works if there are more than one ip one the host available, if there is only one we do not set the entry at all which I consider better as failing to resolve this name is a much better error for users than connecting to a wrong ip. It also matches what --network pasta already does. The test is bit more compilcated as I would like, however it must deal with both cases one ip, more than one so there is no way around it I think. Fixes containers#22653 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
@lazyzyf Maybe this helps: I am experiencing this issue with service running with I start a HTTP server on the host with I execute
I execute
I set the following in [network]
default_rootless_network_cmd = "slirp4netns" See https://blog.podman.io/2024/03/podman-5-0-breaking-changes-in-detail/ section "Pasta default for rootless networking". After
Instead of reverting to [network]
pasta_options = ["--address", "10.0.2.0", "--netmask", "24", "--gateway", "10.0.2.2", "--dns-forward", "10.0.2.3"] This appears to work independently of the IP address and network mask used by the container. My system:
I came here from #22724. |
Issue Description
I am running a web service on my host, which I would expect could be accessed from a bridge networked container.
This works on Podman v4.7.2:
podman run --rm --network=bridge docker.io/mwendler/wget host.containers.internal:8091
The same does not work on v5.0.2, with
Connecting to 10.1.26.100:8091... failed: Connection refused.
Here, 10.1.26.100 is the host's eth0 address (
host.containers.internal
), but the result is the same if i use the bridge's gateway IP.Steps to reproduce the issue
Steps to reproduce the issue
podman run
with--network=bridge
host.containers.internal
or the bridge interface's gateway IPConnection refused
errorDescribe the results you received
Connections to host from a container in bridge network mode are refused under Podman v5.0.2 when previously on v4 this was not the case.
Describe the results you expected
Container in bridge network mode can connect to the host using
host.containers.internal
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Environment is a NixOS host.
Additional information
No response
The text was updated successfully, but these errors were encountered: