From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 1023B5A026F for ; Wed, 28 Jun 2023 13:50:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1687952998; bh=16Bi+bQr4xt6QfzxGI4oFFGabJ633RMw7duGkJlDY3E=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QKc1mS2/c72ut6DsWl3Clx5bNfB5i4M9rh1Jh60MVQnRFXK/OQIRwpMrjA0eD+/8Y Db0Ce0f/buIpzW42lTGkhmLt8bEf24ekRahIjutJXX+lFzzW1Dp8eqig2UPikxR6WV 61K81HzngQoCyXZkLStjVTuabYXsIp3DalL3rwvs= Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4QrfyZ3LYnz4wp3; Wed, 28 Jun 2023 21:49:58 +1000 (AEST) Date: Wed, 28 Jun 2023 21:43:04 +1000 From: David Gibson To: "jklaiho@iki.fi" Subject: Re: Pasta-networked rootless Podman container gets Connection Refused with the host's public IP Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SMsgxP0ePLydymK7" Content-Disposition: inline In-Reply-To: Message-ID-Hash: C3RVOEYUITYATPO6DDDEQR2SCPH7TCHR X-Message-ID-Hash: C3RVOEYUITYATPO6DDDEQR2SCPH7TCHR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-user@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --SMsgxP0ePLydymK7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 28, 2023 at 11:02:55AM +0300, jklaiho@iki.fi wrote: > Hi; I previously asked this on the Podman mailing list, but I'm not > sure if the issue in question is a feature of Podman or Passt (or > both), and I got no replies from the Podman list, so I figured I'd > try here as well. This behaviour is a property of passt. It's a consequence of a tradeoff that we make differently from slirp or kernel masquerading approaches. Pasta (usually) avoids NAT, which can avoid a number of problems, but the way it does this is by giving the container the host's IP address (or one of them, if the host has multiple). The tradeoff is that that implies the container can't contact the host by that IP address. > We're running some rootless Podman containers set up to use Pasta > 2023_03_29.b10b983 for networking. One of the containers needs to > access the host machine port 443 with its public IP address, but > this causes a Connection Refused error. Any other public IP is > accessible normally. Right, this is expected. Because the container itself also has that IP, it will route that traffic to itself. It will never even reach pasta, let alone the host. I'm assuming there's no server on that port in the container, hence, connection refused. > This is specific to the containers; the host has no problem > accessing itself with the public IP. >=20 > The containers are set up with systemd generators (quadlet), with network= ing configured very simply: >=20 > "Network=3Dpasta:-t,auto,-T,auto" >=20 > Podman has a --map-gw option useable with Pasta that seemed like it > might help, but it didn't. >=20 > "Network=3Dpasta:--map-gw,-t,auto,-T,auto" fails like this at container s= tartup: >=20 > Error: failed to start pasta: > Port forwarding mode 'none' conflicts with previous mode >=20 > "Network=3Dpasta:-t,auto,-T,auto,--map-gw" started the container fine, > but did not fix the Connection Refused error. Apparently --map-gw > just isn't the right option here. It's odd that those last two approaches gave different results, AFAIK just changing the order of options shouldn't make a difference here. But in any case, --map-gw (which from pasta's point of view is removing the --no-map-gw option) will not do what you want for two reasons. 1. map-gw does provide a means for the container to access the host, but it's not via the host's normal public IP (that's impossible if the guest has it). Instead it repurposes the IP of the default gateway to refer to the host when used from the container. So to use this you'd need to change the address that your clients in the container use, which I gather isn't possible. 2. With map-gw, traffic forwaded appears on the host side to both come from and go to the loopback interface. That is from the servier's point of view the connection will go to 127.0.0.1, not the host's public IP. AIUI that won't work for your situation. > I don't know if the inability to contact the public IP is a feature > of Podman or Pasta, but I'm hoping you're able to at least narrow it > down for me. >=20 > Is there a workaround on the Pasta side? Maybe. You can add the -a
option to the pasta command line which will tell it to assign the given address to the guest instead of the host's address. This should make the host contactable using it's public IP. However, it may cause other issues, since the container's IP as it sees itself will no longer be the same as the container's IP as things outside see it. You'll obviously also have to pick an address which won't conflict with anything else the guest needs to contact. --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --SMsgxP0ePLydymK7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmScHL4ACgkQzQJF27ox 2GdYsw/3S5/Of4QXQkuPcLdqNITKVS5ewlcN4YDvCQpSDDaNH4ZdCBgcBvtHGsNY 3o86KqRy+tle1Gx820C4MJ/FyT7K/rm7O0KBtcVSp+USRtLbv9GsoGnS9CoJuEXC yl5x2j2owkuRGAo6TtlIXo03VBc3dMgIFOxhjQw0QqYVFUq3+zaw5mjgDaX82Wqm jZcPz3YPtji4BC0ui9gQfrEVjgUU5s4YP9iFImvDhIPmsTyeMkLMlUR8gePc/bEX 6gWgO5eMQFJllkuCTSVjHjUzHIra5X+z2q93ASJBWdUMfk7TvSeC/BIToxaivWBZ 3QNiIpeIlz43CimmmCQn7NIIEaHGXREQAO+thj0XBVe/56PPRH1nN38b+Wm6IISN WCPiMrmVFeAR/krN0l9JVOwdfvORRhp0FwHtDBaZP6g7yn7AV23SfO4kHoMLcY1u Jv0/a2gvOTTG+yCWhzCIykIhy2x0/oQQTwx4X/z+cp9radbUDC25i854io3qfsSH AYrCrPZyLaDclmJBSGWxQc6Kj1BUyLfXLwA92QkNOMuHFGLXPolxFKKzebVpzQ00 DGNWJjyD+BgsR1C70X+iDnAwgWdixF1G5N68H4ZR3fRw8i0CXL+LhEDTU/LCb63X 2ej+OY3H+T+cZyBBJVidneZBO+qZDBS9IemHz6nywmnOtHqrSA== =4Yor -----END PGP SIGNATURE----- --SMsgxP0ePLydymK7--