Selfhosted

41638 readers

610 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

Podman rootless and ufw (lemmy.zip)

submitted 11 hours ago* (last edited 3 hours ago) by [email protected] to c/[email protected]

17 comments fedilink hide all child comments

I had to restore my homelab and took the opportunity to move from docker to rootless podman quadlets. Well almost full rootless, I kept pi-hole and caddy at the root level because I did not want to deal with sysctl.

I have everything running but for now I have to disable my firewall. With docker I was using this script: https://github.com/chaifeng/ufw-docker But I’m having a hard time finding an alternative for podman.

Do you know how any scripts that would magically fix podman and ufw? Would it be a better solution for me to manage iptables manually?

My needs are pretty simple as I do not really care if the ports are visible on my private network, I just want to allow specific IPs on port 80 and 443.

Edit: the issue I’m facing is that I’m allowing some specific IPs to access my network, but when I enable ufw the traffic is blocked. I had the same rules using docker and everything was working fine. I can notice that sometimes the traffic goes through and other time it is blocked. Much like with docker when you don’t use the script and the traffic will be blocked or not depending on what wrote the iptables rules last.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 4 hours ago* (last edited 3 hours ago) (1 children)

I think you have an X/Y problem.

Rootless podman requires no special firewall management. Like docker, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.

How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven't spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in /etc/containers/containers.conf, or dig into pasta and see if there's something in there. The pasta package is actually called "passt."

Did you set up subuid and subgid correctly?

Did you confirm you can access your services locally?

If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn't have any firewall issues.

As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I'm sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong "zone", or was in persistent mode rather than runtime mode, or whatever. It's just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.

If you followed the rootless podman wiki and everything else looks good, I'd look suspiciously at firewalld.

[–] [email protected] 1 points 3 hours ago

Yes maybe, I will edit my post to better explain the issue I’m facing.

I’m using pasta. I can see some weird, for instance some services can access other through host.containers.internal and for others, I have to use 192.168.1.x