Podman rootless and ufw

fenndev@leminal.space

May I ask what services you're running, and to see your Quadlet files? I'm about to make the same move.

nis@feddit.dk

Does Podman actually open the ports like Docker do? I was op the impression it did not. But it's entirely possible that I might be wrong.

I would be disappointed if it did. I'm moving to Podman as well just because of the firewall issue in Docker.

kwa@lemmy.zip

I should have clarified this.
It does not open the ports, but I have setup my firewall to allow a range of IP and the traffic is still blocked.

I have noticed some inconsistency in the behavior, where the traffic would sometimes work upon ufw activation but never work upon reboot.
Knowing how docker works, I thought podman would also mess with the firewall.
But maybe the issue comes from something else.

kwa@lemmy.zip

Mainly Immich, paperless and jellyfin

giacomo@lemm.ee

i too am on the docker to podman quadlet train! i switched from a ubuntu server running docker to a pretty stock ucore server with podman.

i put all my containers in a podman network. im using nginx proxy manager with inside ports 80, 81, and 443 mapped to 9080, 9081, and 9443 to keep the container rootless. i have the firewall configured witn port forwarding 80, 81, and 443 back to 9080, 9081, and 9443.

ucore is from the universal blue project and based on fedora's coreos, so it comes with firewalld instead of ufw.

nis@feddit.dk

That does sound like it's something else.

azron@lemmy.ml

What expected problems did podman end up surorising you with? Is the software more stable and not constantly updated like docker? I want to move to podman at some point as well and I understand for a lot of cases it is just "drop in" but I run a lot of containers and I'm skeptical it'll be that simple.

Especially with software distros like home assistant and matrix both explicitly pushing you to official docker due to some features.

mora@pawb.social

The hardest part for me was to switch from docker compose to quadlets, but there is podlet to help with the conversion.

https://github.com/containers/podlet

sxan@midwest.social

I think you have an X/Y problem.

Rootless podman requires no special firewall management. Like docket, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.

How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven't spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in /etc/containers/containers.conf, or dig into pasta and see if there's something in there. The pasta package is actually called "passt."

Did you set up subuid and subgid correctly?

Did you confirm you can access your services locally?

If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn't have any firewall issues.

As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I'm sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong "zone", or was in persistent mode rather than runtime mode, or whatever. It's just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.

If you followed the rootless podman wiki and everything else looks good, I'd look suspiciously at firewalld.

kwa@lemmy.zip

Yes maybe, I will edit my post to better explain the issue I’m facing.

I’m using pasta. I can see some weird, for instance some services can access other through host.containers.internal and for others, I have to use 192.168.1.x

gravityspoiled@lemmy.ml

I stayed with podman compose. Do the quadlets have an advantage?

kwa@lemmy.zip

I switched at work because of the license changes docker did. I noticed that for my work workflow, podman was a direct remplacement of docker.

For my homelab, I wanted to experiment with rootless and I also prefer to have my services handled by systemd. Also I really like the built-in auto update from podman

kwa@lemmy.zip

I wanted to do something similar. But I grouped some containers using pods and it seems it broke the networking.

Eventually I kept the pods, and exposed everything to the host where caddy can meet the services there. Not the cleanest way, especially as my firewall is turned off.

giacomo@lemm.ee

ah you may need to make sure the pods are added to the network. i specified the network in the .pod quadlet.

im kinda digging the podman network setup as I dont have to map a bunch of port 80s to ports on the host and keep track of them. i can just tell the proxy whatever service is running on http://{container_name}:80. that is, after I found out I needed to make a new podman network because the default "podman" network doesn't do DNS lol.

kwa@lemmy.zip

Ah I think you may have solved part of the problem. I tried to use a network and have container name resolution but it failed. That’s why I went with pods and publish ports directly to the host.

I will try to use a dedicated network with DNS on, thanks!

mora@pawb.social

If it works for you, there is no reason to switch.

The benefit for me is mostly the systemd integration (e.g. do a simple DB backup before running the container using StartExecPre) & the corresponding unified logging with journalctl. Then there is auto update and boot persistence without having to run an additional process.

gravityspoiled@lemmy.ml

Cheers!

nutbutter@discuss.tchncs.de