Podman - Network types - Part 8
In this part we will go over a little bit of the differences of running podman in rootless versus rootful when it comes to network options.
We will cover some of the downsides of each way of running containers, this is in no way a deep dive, just my take on things.
Rootless
In a rootless container environment there is not much you can do when it comes to network.
Everything is passed through Slirp4netns that acts like a bridge between your userspace containers and the host interface.
In practically it means that all your containers share the same host IP and they cannot use the same external port to expose their service on, and this goes for all users on the same machine.
Illustrated below one port per container, and this goes for pods to.
graph LR
A(<br>Client<br>192.168.0.2<br><br>) <--> |8080/tcp| B(<br><br>Host<br>Network<br>10.0.0.2<br><br><br>)
<--> |8080/tcp| C{Slirp4netns<br>127.0.0.1}
<--> |80/tcp| D(Web<br>Container<br>01)
A <--> |8081/tcp| B
<--> |8081/tcp| C
<--> |80/tcp| O(Web<br>Container<br>02)The containers can still talk to each other via the host network, so in above configuration, you could for example do a curl http://10.0.0.2:8081 from within web container 01 and reach the service at web container 02, something to keep in mind.
Here it is important to consider if the container should be accessed only from another containers or accessible from clients to.
Often when you for example are setting up a web server and it needs a database server, the database server should often only be accessible from the web server itself to keep the attack vectors to a minimum, so really think hard and long on if it should exist as a single container and be exposed out against clients as well or if it needs to be in a pod where the exposed ports are those of the main service only.
In version 4.x there is a new network option called netavark even for rootless containers, the rootless version should be close to the rootful version in terms of options, this i have not yet explored since 4.x is not in Ubuntu 22.04 LTS version as of writing this guide and focus is on a rootless container environment with current LTS version.
Rootful
When it comes to network and running in rootful mode there are a lot more options at hand.
There is the possibility to utilize VLANs to segregate your containers and pods and thus being able to use same ports and ports below 1024 as standard.
Illustration below shows how it could look in a VLAN environment.
graph LR
A(<br>Client<br>192.168.0.2<br><br>)
<--> |80/tcp| B(<br><br>Host<br>Trunk<br>Network<br><br>10.1.0.0/27<br>Vlan 1<br><br>10.2.0.0/27<br>Vlan 2<br><br><br>)
<--> |80/tcp| C{macvlan<br>10.1.0.3}
<--> |80/tcp| D(Web<br>Container<br>01)
A <--> |80/tcp| B
<--> |80/tcp| M{macvlan<br>10.2.0.3}
<--> |80/tcp| O(Web<br>Container<br>02)Containers and pods run in rootful uses netavark as default network, but you can use macvlan as i illustrated above or Bridged network.
To do a deep dive into rootful container network i recommend reading their own information about the different options there is here.
I might revisit that option in the future, but will look at netaverk for rootless first to see what it brings to the table for network option in a rootless container world.
Recap
Here we talked a little bit about networking, there are so more to cover than what we talked about here, but this will get you a basic understanding of networking withing podman and understanding some of the differences there are.