Enabling a quadlet container that can connect back to the host

[flixman]

Hi! I have the following files defining quadlets. My problem is that from the container I cannot connect back to the host. I am creating a new network because I have read that the bridge network that is already existing cannot be configured after started. I have added an option to that network, but... It is still not working and I cannot see what I am doing wrong:

~/.config/containers/systemd/podman-gitea-redis.container

[Unit]
PartOf=podman-gitea-pod.service

[Service]
Restart=always

[Container]
Image=docker.io/library/redis:alpine
Pod=podman-gitea.pod

~/.config/containers/systemd/podman-gitea-gitea.container

[Unit]
Requires=podman-gitea-redis.service
After=podman-gitea-redis.service
PartOf=podman-gitea-pod.service

[Service]
Restart=always

[Container]
EnvironmentFile=%h/gitea/config/gitea.env
Image=docker.io/gitea/gitea:latest
Pod=podman-gitea.pod
Volume=/home/ubuntu/gitea/data:/data
Volume=/etc/localtime:/etc/localtime:ro
Volume=/home/ubuntu/ca.crt:/etc/ssl/cert.pem:ro

~/.config/containers/systemd/gitea.network

[Network]
Options=pasta:--map-gw

~/.config/containers/systemd/podman-gitea.pod

[Pod]
PublishPort=10.44.0.1:3000:3000
Network=gitea.network

[Install]
WantedBy=default.target

[flixman]

Seems to be fixed by not using an ad-hoc network and, instead, using AddHost at the pod level, pointing to host-gateway. Is this the recommended approach?

[sbrivio-rh]

If you're using a recent version of Podman and rootless containers, you might want to check https://blog.podman.io/2024/10/podman-5-3-changes-for-improved-networking-experience-with-pasta/.

[flixman]

@sbrivio-rh Thank you for your answer: Seems I have walked the full circle to.... come back to the same issue :-/. The container is still rootless and I need to connect to a veth that I have on the host (10.255.255.1), but I cannot make it work. From a simple command line this is what I am doing:

svc_postgres@k3s:~$ podman run -it --dns=10.255.255.1 alpine sh -c "apk add --no-cache openldap-clients && ip route && ldapwhoami -H ldaps://ldap.host.internal:1636 -D 'uid=authelia,ou=functional,dc=test,dc=lan' -w 'authelia_ldap_pass'"
(1/5) Installing gdbm (1.26-r0)
(2/5) Installing libsasl (2.1.28-r9)
(3/5) Installing libldap (2.6.10-r0)
(4/5) Installing libuuid (2.41.2-r0)
(5/5) Installing openldap-clients (2.6.10-r0)
Executing busybox-1.37.0-r29.trigger
OK: 9 MiB in 21 packages
default via 192.168.123.1 dev ens1  metric 1024 
192.168.123.0/24 dev ens1 scope link  metric 1024 
192.168.123.0/24 dev ens1 scope link  src 192.168.123.3  metric 1024 
192.168.123.1 dev ens1 scope link  metric 1024 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I have multiple containers that I am running with different users, all of them binding to 10.255.255.1. By doing this I hope to mitigate the possibility that, if an attacker manages to break out of the container, only that container will be impacted... but because the containers do not see each other I am having these other challenges. My objective is to let this container to reach 10.255.255.1 on the host, and nothing else.

I am using podman 5.4. Do you know if this is possible?