Podman container unable to connect to another containers port forward

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7

Issue

  • When trying to connect from one container to another container running on the same host via a forwarded port, this fails:

    # podman create -p 5001:80/tcp --name=hello-world-a nginxdemos/hello
    # podman create -p 5002:80/tcp --name=hello-world-b nginxdemos/hello
    # podman start hello-world-a hello-world-b
    # podman exec hello-world-a wget http://10.88.0.1:5001
    Connecting to 10.88.0.1:5001 (10.88.0.1:5001)
    index.html           100% |*******************************|  7218   0:00:00 ETA
    
    # podman exec hello-world-a wget http://10.88.0.1:5002
    Connecting to 10.88.0.1:5002 (10.88.0.1:5002)
    ^C
    

Resolution

  • Red Hat is aware of this issue and is tracking the fix in RHBZ#1703261.
  • A workaround is to manually load the br_netfilter module using modprobe br_netfilter before invoking podman. To permanently enable this workaround, please apply the following steps:

    # Load br_netfilter module
    modprobe br_netfilter
    
    # Ensure it's loaded on boot
    cat > /etc/modules-load.d/podman-net.conf  <<EOF
    br_netfilter
    EOF
    
    # Setup sysctl params, these persist across reboots
    cat > /etc/sysctl.d/podman-net.conf <<EOF
    net.bridge.bridge-nf-call-iptables  = 1
    net.ipv4.ip_forward                 = 1
    net.bridge.bridge-nf-call-ip6tables = 1
    EOF
    
    # Load systcl params
    sysctl --system
    

Root Cause

  • /proc/sys/net/bridge/bridge-nf-call-iptables is set to 0

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.