podman: Cannot access published ports from remote hosts

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Start a container and publish port, attempt to access to port from another host on the same network and the connection attempt fails.

Steps to reproduce the issue:

  1. podman run -d -p 80:80 nginx:latest

  2. curl http://container-host/ (from another host)

Describe the results you received:

curl: (7) Failed to connect to container-host port 80: No route to host

Describe the results you expected:

Nginx welcome page html printed to stdout

Additional information you deem important (e.g. issue happens only occasionally):

When I turn on iptables logging getting these messages

FINAL_REJECT: IN=enp5s0 OUT=cni-podman0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xx.xx.xx.xx DST=10.88.0.18 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=4085 DF PROTO=TCP SPT=58926 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

Port mapping is working if the request is coming from the host that the container is running on.

The bridge seems to be starting correctly, have forced br_netfilter module to load.

Have attached the output of iptables -t -nvL and iptables -nvL before and after container start. iptables.txt

Output of podman version:

Version:            1.6.1
RemoteAPI Version:  1
Go Version:         go1.12.9
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.9
  podman version: 1.6.1
host:
  BuildahVersion: 1.11.2
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.1-1.fc30.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.1, commit: 4346fbe0b2634b05857973bdf663598081240374'
  Distribution:
    distribution: fedora
    version: "30"
  MemFree: 29396992000
  MemTotal: 33671798784
  OCIRuntime:
    package: runc-1.0.0-93.dev.gitb9b6cc6.fc30.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc8+dev
      commit: e3b4c1108f7d1bf0d09ab612ea09927d9b59b4e3
      spec: 1.0.1-dev
  SwapFree: 34359734272
  SwapTotal: 34359734272
  arch: amd64
  cpus: 8
  eventlogger: journald
  hostname: container-host
  kernel: 5.2.18-200.fc30.x86_64
  os: linux
  rootless: false
  uptime: 10h 26m 49.05s (Approximately 0.42 days)
registries:
  blocked: null
  insecure:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 4
  GraphDriverName: overlay
  GraphOptions:
    overlay.mountopt: nodev,metacopy=on
  GraphRoot: /var/mnt/podman/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  ImageStore:
    number: 4
  RunRoot: /var/mnt/podman/run/containers/storage
  VolumePath: /var/mnt/podman/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.1-2.fc30.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.): Running on a physical box

OS Fedora Sliverblue 30 Kernel 5.2.18-200.fc30.x86_64

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (13 by maintainers)

Most upvoted comments

we dont set up rules to allow external traffic to access your host … we believe that is the job of the user.

+1
baude on Oct 14, 2019
Read more comments on GitHub
← podman: Can not install podman 2.2.0~0.1+nm3 on ubuntu 20.04 from opensuse kubic repository
podman: cannot assign device path with colon →