this post was submitted on 12 Mar 2025
21 points (95.7% liked)

Selfhosted

45337 readers
796 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
21
Asking for suggestions regarding Rootless Podman (infosec.pub)
submitted 2 weeks ago by xinayder@infosec.pub to c/selfhosted@lemmy.world
11 comments fedilink hide all child comments
 

I have a "homelab" (well it's not a lab hosted at home, but on the cloud) running k3s and hosting my website, IRC and Matrix. I'm moving all of these services to Podman, since it's easier and you don't have to deal with the headaches of k3s.

I spent a lot of time the past months searching about Podman and couldn't find so much information about it. I managed to get a Authentik pod up and running with Quadlet (systemd unit), and I have a basic Caddy container acting as the reverse proxy for it. These are hosted in another VPS I have, and they are running rootless.

I want to move the other services to Podman, but I'm a bit lost. Right now, I have all the Podman containers allocate specific ports on the host, and communication between Caddy and Authentik, for example, is done by specifying the local IP address of my VPS.

Is it a bad approach to do inter pod/container communication using the local host IP address? I read that you can create a network that pods/containers can use and each gets assigned its own IP from the network range, but I also read that it doesn't go well with rootless. I started using slirp4netns, but then migrated to pasta since I had some issues with getting IPv6 with the former.

So, what would be the "correct" approach here? Create a separate network for the pods and use their assigned IP addresses, or use the local IP address from the host to communicate between pods?

you are viewing a single comment's thread
view the rest of the comments
[–] xinayder@infosec.pub 1 points 2 weeks ago (1 children)

It seems simple. Does it use pasta as the default networking backend? Also, I guess separating each app into their own network is added security, right? So if anything happens to one app, it cannot move laterally to the other apps unless it manages to gain access to the reverse proxy, which then it would be a huge problem.

[–] Asparagus0098@sh.itjust.works 2 points 2 weeks ago (1 children)

I looked up when pasta became the default networking backend for rootless and it seems to have been with podman 5.0. I do remember using podman 5.x versions, so I was most likely using pasta.

The reason why I seperated each app into their own network was indeed for security. The only container with access to all the networks is the reverse proxy.

[–] xinayder@infosec.pub 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

One more question, how did you manage to get the reverse proxy to proxy your pods? I just added two containers to one, and I cannot access the containers anymore by their names. Do I need to expose their ports on the pod configuration?

[–] Asparagus0098@sh.itjust.works 2 points 2 weeks ago* (last edited 2 weeks ago)

Containers within a pod can use localhost to access each other. Containers outside of the pod needs to use the pod name to access the containers in the pod.