Podman #4 - Networking - Layer 2 Dragons

Finally, networking. I’ve been doing it for over 20 years, so let’s set some boundaries and enforce a few paradigms.

podman network create test

Yes, this creates a network just like in Docker. But I don’t want my containers talking to each other, and I definitely don’t want them talking to the internet.

The documentation I used to figure this out is here (again), but there are two key concepts that stood out: internal and isolate. And they can be combined!

Internal

Internal=true

This restricts external access for the network. In other words, containers won’t have a default gateway and can’t connect to the internet. This even improves startup time for some containers, like OpenSearch.

Isolate

Options=isolate=true

This option blocks traffic between networks that have it enabled. Networks with isolate=true can’t talk to each other, but they can talk to networks without isolation.

Strict Isolation

It turns out:

--opt=isolate=strict

…is also a thing. I stumbled across it on Reddit or GitHub (not well documented). With strict, the network can’t talk to anything unless that other network also has isolation enabled. Unlike true, it won’t communicate with “normal” networks.

Perfect. This means if we combine internal and isolate, we can build a network where nothing leaks out. That will be the default setup from here on.

Examples

podman network create --internal internalNet
podman network create --opt=isolate=true isoTrueNet
podman network create --opt=isolate=strict isoStrictNet
podman network create --internal --opt=isolate=true intIsoTrueNet
podman network create --internal --opt=isolate=strict intIsoStrictNet

Now let’s run some containers and see if they can ping each other:

podman run --rm -it --network=isoStrictNet alpine sh
podman run --rm -it --network=intIsoTrueNet alpine sh

And yes — it behaves exactly as described.

Rootless Quadlet

Since we’re not using the CLI to deploy services, we need to define this network in a rootless Quadlet file:

nano ~/.config/containers/systemd/intisostrictnet.network

[Unit]
Description=Isolated internal network

[Network]
Driver=bridge
Internal=true
Options=isolate=strict

[Install]
WantedBy=default.target

Then generate the systemd file:

systemctl --user daemon-reload

You can check if it was created with:

ls /run/user/$UID/systemd/generator/

If it isn’t there, troubleshoot with:

/usr/lib/systemd/user-generators/podman-user-generator -dryrun

If all looks good, start the service:

systemctl --user start intisostrictnet-network.service

Now podman network ls will show your shiny new network.

We can put a container on it to verify that we have no network connectivity:

 podman run --rm -it --network=systemd-intisostrictnet alpine sh

That’s it for Podman #4 – Networking.

https://docs.podman.io/en/latest/markdown/podman-network-create.1.html