2

I've installed both Docker and Podman on the same machine. Is that my first problem? Maybe. But my goal is run both and I'd like to continue anyway.

My problem is this: there seems to be an iptables conflict between Docker's rules and Podman's rules, and my working solution doesn't make any sense to me.

Version info: OS: RHEL 7.6 Podman: 0.11.1.1 Docker: 18.09.1 Iptables: 1.4.21

Two points of information:

  1. The docker daemon adds iptables rules for container networking on startup.
  2. Podman adds iptables rules via CNI (Container Network Interface) for container networking when you run a container.

I'm running a container with podman that exposes a port (let's say, 5000, for example). I've constructed 3 test cases that help illustrate my question and the extremely weird behavior I encounter in case 3 that makes remote access work. Read on.

  1. The first case makes complete sense: I install Podman normally, without any installation of Docker, and the run the container. Poof! Container runs and I can remotely access the port, as I expect.

  2. The second case is where remote access fails. I install Podman normally, install and run the Docker service, then run my container with Podman. Boom. Remote access fails because there is no route to the host.

Before I go on to the third case, it's important to note two very specific iptables rules. You can view these rules (if you have a Docker daemon running and a Podman container up) by running:

iptables -t nat -nL PREROUTING

The output of the command is:

Chain PREROUTING (policy ACCEPT)
target    prot opt source            destination
DOCKER    all  --  0.0.0.0/0         0.0.0.0/0      ADDRTYPE match dst-type LOCAL
CNI-HOSTPORT-DNAT    all  --  0.0.0.0/0         0.0.0.0/0      ADDRTYPE match dst-type LOCAL

Now comes the third case:

  1. So I'm poking around in iptables, and I know enough to be dangerous.

I decide to delete the CNI-HOSTPORT-DNAT rule:

iptables -t nat -D PREROUTING 2

And suddenly, I can remotely access the container via port 5000 again.

My question is:

Why does removing the aforementioned rule makes things work again? You would think that removing a CNI-generated rule would break Podman networking. But it doesn't. I'm baffled!

Thanks in advance.

UPDATE: figured out the issue, and it was my fault.

My packets were getting correctly sent to the FORWARD chain after DNAT, but I have a default of DROP on that chain, and no rule on that chain to accept packets bound for port 5000. Once I added a FORWARD rule to accept dport=5000 packets, it started working.

This question can be closed.

The Spartan
  • 411
  • 1
  • 3
  • 13
  • If this post is off-topic, I understand--however, I'd appreciate knowing what Stack to ask it on. – The Spartan Feb 15 '19 at 17:48
  • 1
    Feel free to post your update/edit as an answer, accept it and close the question this way. Stackoverflow encourages [answering your own questions](https://stackoverflow.com/help/self-answer). – char Jul 23 '19 at 11:30

0 Answers0