Selfhosted

45304 readers

1215 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

Asking for suggestions regarding Rootless Podman (infosec.pub)

submitted 2 weeks ago by [email protected] to c/[email protected]

11 comments fedilink hide all child comments

I have a "homelab" (well it's not a lab hosted at home, but on the cloud) running k3s and hosting my website, IRC and Matrix. I'm moving all of these services to Podman, since it's easier and you don't have to deal with the headaches of k3s.

I spent a lot of time the past months searching about Podman and couldn't find so much information about it. I managed to get a Authentik pod up and running with Quadlet (systemd unit), and I have a basic Caddy container acting as the reverse proxy for it. These are hosted in another VPS I have, and they are running rootless.

I want to move the other services to Podman, but I'm a bit lost. Right now, I have all the Podman containers allocate specific ports on the host, and communication between Caddy and Authentik, for example, is done by specifying the local IP address of my VPS.

Is it a bad approach to do inter pod/container communication using the local host IP address? I read that you can create a network that pods/containers can use and each gets assigned its own IP from the network range, but I also read that it doesn't go well with rootless. I started using slirp4netns, but then migrated to pasta since I had some issues with getting IPv6 with the former.

So, what would be the "correct" approach here? Create a separate network for the pods and use their assigned IP addresses, or use the local IP address from the host to communicate between pods?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 3 points 2 weeks ago (2 children)

I agree that you’ll want to figure out inter-pod networking.

In docker, you can create a specific “external” network (external to the docker container is my understanding) and then you can attach the docker compose stack to that network and talk using the hostnames of the containers.

Personally, I would avoid host network mode as you expose those containers to the world (good if you want that, bad if you don’t)… possibly the same with using the public IP address of your instance.

You could alternatively bind the ports to 127.0.0.1 which would restrict them from exposing to internet… (see above)

So just depends on how you want to approach it.

[–] [email protected] 2 points 2 weeks ago (1 children)

Personally, I would avoid host network mode as you expose those containers to the world (good if you want that, bad if you don’t)… possibly the same with using the public IP address of your instance.

My instance is only exposing the HTTP/HTTPS ports, those are the only ports enabled in the firewall.

[–] [email protected] 2 points 2 weeks ago

Sounds like you should be good there then!