Use pasta’s –map-guest-addr option
As of Podman 5.0 we default to “pasta” as a rootless networking application to provide network connectivity for rootless containers. Compared to our previous default, slirp4netns, pasta works a bit differently. For instance, pasta, by default, does not use Network Address Translation (NAT). This means it will copy the host address into the container as well, which means both the host and container namespace use the same IP address. This, in turn, means if you try to connect to the host IP from the container, it will refer to itself, not the host. Many users were confused by the lack of connectivity between the host and the container in this situation.
Also, for quite some time, podman has provided the host.containers.internal host entry in containers to allow containers to reach the host. Podman tried to be smart enough to not add the same host IP that is already used in the container namespace to avoid the issue. However, in many cases, the host only has one IP address (excluding localhost), so in this case Podman was unable to provide a suitable IP address for host.containers.internal
; thus, the entry was not added.
As this was a common use case, the pasta developers added a new pasta option called --map-guest-addr <ip>
that allows the user to choose a given IP address inside the namespace to refer to the actual host IP on the host namespace. Starting with Podman 5.3 we will use this by default: the address 169.254.1.2 will be mapped to the host.
We also made sure that the host.containers.internal entry will be set to this IP, which will make the hostname work again even if there is no secondary IP to use; therefore please do not hardcode the IP and use host.containers.internal
instead.
There is also the option to use another IP, like with any other pasta option you can pass it directly to Podman which adds it to the pasta command line. In this case the hostname will also be correctly updated to use the new correct IP, e.g.:
$ podman run --network pasta:--map-guest-addr,10.0.0.1 quay.io/libpod/testimage:20241011 \
grep host.containers.internal /etc/hosts
10.0.0.1 host.containers.internal host.docker.internal
To use --map-guest-addr
passt version 2024_08_14 or newer is required, so make sure you have it installed. If an older version is present, Podman keeps the old behavior and does not error unless the user explicitly sets --map-guest-addr
.
Quadlet rootless container startup
Another common problem was that rootless systemd units created from quadlet failed to start on boot. This happens because pasta requires the network to be fully up before it can be started; otherwise if your network setup took long enough, you likely got an “External interface not usable” error in your unit logs and the container was not started.
While the generated systemd units used After=network-online.target
, it turned out that this didn’t do anything because the systemd user session cannot see the system units such as network-online.target. Therefore systemd ignored that After=
line and the container units were started too early before the network was ready, causing random failures on boot.
With podman 5.3, I now implemented a workaround for this. Packagers will need to make sure to ship the new podman-user-wait-network-online.service
unit in the user (not system) directory so it can be used in all user sessions. This unit just waits for the system network-online.target unit to become active by polling the status every half a second via systemctl is-active network-online.target. With that, quadlet no longer adds After=network-online.target
for the user units and instead adds After=podman-user-wait-network-online.service
, which guarantees the container units wait until the network is ready and pasta starts correctly. Users that manually implemented a workaround like this should be able to remove that again.
If, for whatever reason, you do not need or want your units to wait for the network to be ready, then you can make use of the new DefaultDependencies=false
option under the newly added [Quadlet]
section in your quadlet files.
Leave a Reply