Closed ivanov17 closed 2 years ago
@ivanov17 , can you access container IP address from host namespace?
@ivanov17 , generally speaking ... if you try accessing localhost from host namespace hoping getting to container, I don't think it would work, because there are no rules accomplishing that. There is some work left "to do" with this plugin.
+1\ I am facing the same issue (for obvious reasons). This is kind of bugging me even so basically everything works fine it would be great to access the containers via localhost.\ @greenpau do you plan to implement that?
@micaeb , did not have a chance to look at it. Hoping someone else would fix it :-)
The problem is that prerouting hook will trigger only for packets from real device or bridge and won`t work for outgoing packages from local machine. For details see https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks. It is possible to do local DNAT as DNAT statements will work in output hook.
As I previously wrote, I have been trying to use podman on CentOS 8 running on qemu/kvm virtual machine. I removed firewalld and I use nftables directly now.
Unfortunately, I have some troubles with my nftables rules and an issue related to access to localhost ports inside the virtual machine.
When I start nginx container and try to access to localhost on 80 port, the connection hangs until I interrupt it:
It also happens if I try to access 80 port using ip address of my virtual machine inside the VM:
Outside the VM, I can access the container's port without any problem (If I remove the reject rule from the forward chain of the
inet filter
table, of course):When I stop nginx container, install package with another webserver on the virtual machine and then try to access 80 port on localhost inside the VM, I reach it successfully:
I didn't create another CentOS 8 VM with default configuration running firewalld to test the access to localhost ports. But I use firewalld and podman in Fedora 32 on my home machine and I can access 80 port on localhost running the same nginx container.
It looks like there is an issue with rules set by CNI plugins.
This is a listing of my nftables ruleset when container is running:
This is my CNI configuration:
Podman version and system info: