[Podman] Re: Best practices for restricting container network access

Hello Paul, Thanks for the answers, that helps a lot - I haven't really used containers since more than 5 years and that space evolves quickly so I wasn't sure if I was missing something! On 05/08/2024 19:28, Paul Holzinger wrote: >> - there is no warning message when aardvark-dns can't start because >> the port is already taken by the host (that would have made the >> issue very obvious) > I fixed this very recently in netavark/aardvark-dns v1.12.0, so this > already fixed. Great news, thank you! >> - internal networks don't generate DNAT rules when dns_port is set >> to anything other than 53 ; containers can access the DNS resolver >> on the non-standard port just fine and have /etc/resolv.conf >> configured to the correct IP, but the resolv.conf mechanism cannot >> (to my knowledge) use a different port and thus DNS fails in practice > Correct this is a problem, please file a bug on the netavark repo > about it. This is similar to > https://github.com/containers/podman/issues/22807. Right now internal > networks do nothing with the host firewall I think we must reevaluate > that design decision. Created: https://github.com/containers/netavark/issues/1051

>> The last part sounds weird to me, is that the expected behavior or >> is it maybe another misconfiguration on my part? > This is expected with our current design see my point above how we do > nothing with the firewall int he internal case thus no port DNAT > rules are added as well. > However note that this will actually work when running rootless > podman today as it uses a user space forwarder. Good to know even if for the moment I'm mostly using rootful. In general I felt that the "Basic networking" document was both too detailed and not detailed enough when I tried to understand all this. Would you welcome suggestions/attempts at creating small PRs for the documentation, or is that something that's best done by the dev team? What's the best location, the podman repo?