Podman rootless and ufw

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨kwa@lemmy.zip⁩ to ⁨selfhosted@lemmy.world⁩

I had to restore my homelab and took the opportunity to move from docker to rootless podman quadlets. Well almost full rootless, I kept pi-hole and caddy at the root level because I did not want to deal with sysctl.

I have everything running but for now I have to disable my firewall. With docker I was using this script: github.com/chaifeng/ufw-docker But I’m having a hard time finding an alternative for podman.

Do you know how any scripts that would magically fix podman and ufw? Would it be a better solution for me to manage iptables manually?

My needs are pretty simple as I do not really care if the ports are visible on my private network, I just want to allow specific IPs on port 80 and 443.

source

Comments

Sort:hotnew top

azron@lemmy.ml ⁨1⁩ ⁨year⁩ ago
What expected problems did podman end up surorising you with? Is the software more stable and not constantly updated like docker? I want to move to podman at some point as well and I understand for a lot of cases it is just “drop in” but I run a lot of containers and I’m skeptical it’ll be that simple.

Especially with software distros like home assistant and matrix both explicitly pushing you to official docker due to some features.

source
- kwa@lemmy.zip ⁨1⁩ ⁨year⁩ ago
  I switched at work because of the license changes docker did. I noticed that for my work workflow, podman was a direct remplacement of docker.
  
  For my homelab, I wanted to experiment with rootless and I also prefer to have my services handled by systemd. Also I really like the built-in auto update from podman
  
  source
- Mora@pawb.social ⁨1⁩ ⁨year⁩ ago
  The hardest part for me was to switch from docker compose to quadlets, but there is podlet to help with the conversion.
  
  github.com/containers/podlet
  
  source
  - GravitySpoiled@lemmy.ml ⁨1⁩ ⁨year⁩ ago
    I stayed with podman compose. Do the quadlets have an advantage?
    
    source
    -> View More Comments
giacomo@lemm.ee ⁨1⁩ ⁨year⁩ ago
i too am on the docker to podman quadlet train! i switched from a ubuntu server running docker to a pretty stock ucore server with podman.

i put all my containers in a podman network. im using nginx proxy manager with inside ports 80, 81, and 443 mapped to 9080, 9081, and 9443 to keep the container rootless. i have the firewall configured witn port forwarding 80, 81, and 443 back to 9080, 9081, and 9443.

ucore is from the universal blue project and based on fedora’s coreos, so it comes with firewalld instead of ufw.

source
- kwa@lemmy.zip ⁨1⁩ ⁨year⁩ ago
  I wanted to do something similar. But I grouped some containers using pods and it seems it broke the networking.
  
  Eventually I kept the pods, and exposed everything to the host where caddy can meet the services there. Not the cleanest way, especially as my firewall is turned off.
  
  source
  - giacomo@lemm.ee ⁨1⁩ ⁨year⁩ ago
    ah you may need to make sure the pods are added to the network. i specified the network in the .pod quadlet.
    
    im kinda digging the podman network setup as I dont have to map a bunch of port 80s to ports on the host and keep track of them. i can just tell the proxy whatever service is running on http://{container_name}:80. that is, after I found out I needed to make a new podman network because the default “podman” network doesn’t do DNS lol.
    
    source
    -> View More Comments
nis@feddit.dk ⁨1⁩ ⁨year⁩ ago
Does Podman actually open the ports like Docker do? I was op the impression it did not. But it’s entirely possible that I might be wrong.

I would be disappointed if it did. I’m moving to Podman as well just because of the firewall issue in Docker.

source
- kwa@lemmy.zip ⁨1⁩ ⁨year⁩ ago
  I should have clarified this. It does not open the ports, but I have setup my firewall to allow a range of IP and the traffic is still blocked.
  
  I have noticed some inconsistency in the behavior, where the traffic would sometimes work upon ufw activation but never work upon reboot. Knowing how docker works, I thought podman would also mess with the firewall. But maybe the issue comes from something else.
  
  source
  - sxan@midwest.social ⁨1⁩ ⁨year⁩ ago
    I think you have an X/Y problem.
    
    Rootless podman requires no special firewall management. Like docket, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.
    
    How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven’t spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in /etc/containers/containers.conf, or dig into pasta and see if there’s something in there. The pasta package is actually called “passt.”
    
    Did you set up subuid and subgid correctly?
    
    Did you confirm you can access your services locally?
    
    If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn’t have any firewall issues.
    
    As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I’m sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong “zone”, or was in persistent mode rather than runtime mode, or whatever. It’s just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.
    
    If you followed the rootless podman wiki and everything else looks good, I’d look suspiciously at firewalld.
    
    source
    -> View More Comments
  - nis@feddit.dk ⁨1⁩ ⁨year⁩ ago
    That does sound like it’s something else.
    
    source
fenndev@leminal.space ⁨1⁩ ⁨year⁩ ago
May I ask what services you’re running, and to see your Quadlet files? I’m about to make the same move.

source
- kwa@lemmy.zip ⁨1⁩ ⁨year⁩ ago
  Mainly Immich, paperless and jellyfin
  
  source
GravitySpoiled@lemmy.ml ⁨1⁩ ⁨year⁩ ago
Fedora server has cockpit preinstalled. With cockpit it’s very easy to adjust the firewall.

It’s not a direct solution to your problem but may show you what else is possible

source
- nutbutter@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago
  
  source