Podman container unable to connect to another containers port forward
Environment
- Red Hat Enterprise Linux 7
Issue
-
When trying to connect from one container to another container running on the same host via a forwarded port, this fails:
# podman create -p 5001:80/tcp --name=hello-world-a nginxdemos/hello # podman create -p 5002:80/tcp --name=hello-world-b nginxdemos/hello # podman start hello-world-a hello-world-b # podman exec hello-world-a wget http://10.88.0.1:5001 Connecting to 10.88.0.1:5001 (10.88.0.1:5001) index.html 100% |*******************************| 7218 0:00:00 ETA # podman exec hello-world-a wget http://10.88.0.1:5002 Connecting to 10.88.0.1:5002 (10.88.0.1:5002) ^C
Resolution
- Red Hat is aware of this issue and is tracking the fix in RHBZ#1703261.
-
A workaround is to manually load the
br_netfilter
module usingmodprobe br_netfilter
before invokingpodman
. To permanently enable this workaround, please apply the following steps:# Load br_netfilter module modprobe br_netfilter # Ensure it's loaded on boot cat > /etc/modules-load.d/podman-net.conf <<EOF br_netfilter EOF # Setup sysctl params, these persist across reboots cat > /etc/sysctl.d/podman-net.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF # Load systcl params sysctl --system
Root Cause
/proc/sys/net/bridge/bridge-nf-call-iptables
is set to0
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments