Can't access exposed rootful podman container from outside of host device

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨confusedpuppy@lemmy.dbzer0.com⁩ to ⁨selfhosted@lemmy.world⁩

As of right now, I currently have a working Docker container for Caddy which can successfully get TLS certs and I am able to access my own test site with an external web browser.

What I want to do use the same files (Dockerfile, docker-compose.yml and Caddyfile) to do the same with Podman Compose. When I run podman compose up -d I am able to build the Caddy container and it will also successfully get it’s own TLS cert.

docker-compose.yml

services: caddy: container_name: caddy build: . restart: always ports: - 80:80 - 5050:443 volumes: - ./Caddyfile:/etc/caddy/Caddyfile - caddy_data:/data - caddy_config:/config - /home/sxc-pi/shared/:/srv:Z networks: - reverse_proxy volumes: caddy_data: caddy_config: networks: reverse_proxy: external: true

While on the same device, I can use curl localhost:5050 and get the message Client sent an HTTP request to an HTTPS server. which is the same result as if I were using Docker. If I try to access my site through my domain name or local network ip address from an external device, the connection times out.

I didn’t make any changes to my firewall or router’s port forwarding because I expect Rootful Podman Compose to work similar to Docker.

I checked iptables and below are the differences between using Docker and Podman but I don’t really know networking enough to understand what it’s really saying

iptables differences

sxc-pi:/srv/caddy$ diff ~/iptables-docker ~/iptables-podman — /home/sxc-pi/iptables-docker +++ /home/sxc-pi/iptables-podman @@ -31,8 +31,6 @@ Chain DOCKER (2 references) target prot opt source destination -ACCEPT tcp – anywhere 172.18.0.2 tcp dpt:https -ACCEPT tcp – anywhere 172.18.0.2 tcp dpt:http DROP all – anywhere anywhere DROP all – anywhere anywhere @@ -70,15 +68,20 @@ Chain NETAVARK_FORWARD (1 references) target prot opt source destination DROP all – anywhere anywhere ctstate INVALID +ACCEPT all – anywhere 10.89.0.0/24 ctstate RELATED,ESTABLISHED +ACCEPT all – 10.89.0.0/24 anywhere Chain NETAVARK_INPUT (1 references) target prot opt source destination +ACCEPT udp – 10.89.0.0/24 anywhere udp dpt:domain +ACCEPT tcp – 10.89.0.0/24 anywhere tcp dpt:domain Chain NETAVARK_ISOLATION_2 (1 references) target prot opt source destination Chain NETAVARK_ISOLATION_3 (0 references) target prot opt source destination +DROP all – anywhere anywhere NETAVARK_ISOLATION_2 all – anywhere anywhere Chain ufw-after-forward (1 references)

I’ve also rebooted after starting the Podman containers incase there were any iptables issues but that still didn’t help.

I’ve searched what I can but haven’t gotten anything to work or get me closer to finding an answer.

I’m hoping to use Rootless Podman if I can figure this out, if not I have Docker as a fall back plan.

Any help or insight would be appreciated.

source

Comments

Sort:hotnew top

InnerScientist@lemmy.world ⁨1⁩ ⁨week⁩ ago

Use ss -tlpn or podman ps to show what ports podman I’d listening on, my guess is it is only listening on localhost.

source

confusedpuppy@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago

podman ps shows the following:

CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS         PORTS                                                         NAMES
daae60bdcc65  docker.io/library/caddy-caddy:latest  caddy run --confi...  47 minutes ago  Up 47 minutes  0.0.0.0:80->80/tcp, 0.0.0.0:5050->443/tcp, 2019/tcp, 443/udp  caddy

netstat -tunpl shows the following:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5025            0.0.0.0:*               LISTEN      3270/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:5050            0.0.0.0:*               LISTEN      7342/conmon         
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7342/conmon         
tcp        0      0 10.89.0.1:53            0.0.0.0:*               LISTEN      7336/aardvark-dns   
tcp6       0      0 :::5025                 :::*                    LISTEN      3270/sshd: /usr/sbi 
udp        0      0 10.89.0.1:53            0.0.0.0:*                           7336/aardvark-dns

The only difference for the netstat command between Docker and Podman is that Podman show’s entries for aardvark-dns and Docker does not which is something I expect.

source

InnerScientist@lemmy.world ⁨1⁩ ⁨week⁩ ago
Disable the firewall if you can to check if that’s the issue, then do a tcpdump using root with the port. Do tcpdump inside the container too and compare what you see to the docker environment.

Is caddy-caddy really the correct image?

Try with this command, it’s the minimal setup that works by default (on my machine): podman run -p 0.0.0.0:5050:80 docker.io/library/caddy:latest

source

fluckx@lemmy.world ⁨1⁩ ⁨week⁩ ago
Connections timing out have always been a firewall issue for me.

Client sends packet, firewall drops packet, client waits for a reply that’ll never come. Client times out.

I would check firewall logs or temporarily disable it to see if it works without it.

so yeah check the firewall on the server, the client and in between ( if any ). That’s what I would do.

source
- MysteriousSophon21@lemmy.world ⁨1⁩ ⁨week⁩ ago
  100% agree on the firewall being the culprit, i’d check if podman uses different chain names in iptables than docker does - try running sudo iptables -I INPUT 1 -p tcp --dport 5050 -j ACCEPT to see if that fixes it.
  
  source