Can't query AdGuard in a rootless podman container

Hi,
I’ve recently decided to upgrade my home server setup, which included moving from docker to podman. Nothing against docker, but I wanted to try rootless containers and also podman has nice integration with Cockpit.

The problem is that I can’t connect to AdGuard’s DNS. I’ve tested it in rootful mode and it works like it did on docker.

My setup:
I have host Fedora 38 machine with single physical network interface. It runs a VM, also F38, that is my podman machine. On host I’ve created bridge0 with my single physical port as a member, bridge0 is attached to the VM. Both host and guest are accessible on the network with their separate IPs from DHCP. I can SSH into them and access Cockpit. SELinux is set to permissive on both host and guest.

Container is running on the VM:

[mcmonster@esteban adguard]$ podman ps
CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS        PORTS                                                                                 NAMES
1afb03f53af5  docker.io/adguard/adguardhome:latest  --no-check-update...  20 minutes ago  Up 7 minutes  0.0.0.0:53->53/tcp, 0.0.0.0:3000->3000/tcp, 0.0.0.0:8024->80/tcp, 0.0.0.0:53->53/udp  adguard

VM itself is listening

[mcmonster@esteban adguard]$ netstat -tunlp |grep rootless
(...)
tcp6       0      0 :::8024                 :::*                    LISTEN      7468/rootlessport   
tcp6       0      0 :::3000                 :::*                    LISTEN      7468/rootlessport   
tcp6       0      0 :::53                   :::*                    LISTEN      7468/rootlessport   
udp6       0      0 :::53                   :::*                                7468/rootlessport

Firewall allows DNS (both TCP and UDP)

[mcmonster@esteban adguard]$ sudo firewall-cmd --list-services 
cockpit custom--8024 custom--81 custom--hbci dhcpv6-client dns http https ssh

Ports are open on the firewall as seen from my desktop PC:

$ nmap -p 8024,53 10.0.0.4
(...)
PORT     STATE SERVICE
53/tcp   open  domain
8024/tcp open  unknown

The container itself has network and is listening:

/opt/adguardhome/work # ip a
(...)
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 72:93:9a:9b:05:7d brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::7093:9aff:fe9b:57d/64 scope link 
       valid_lft forever preferred_lft forever
/opt/adguardhome/work # netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 :::80                   :::*                    LISTEN      1/AdGuardHome
tcp        0      0 :::53                   :::*                    LISTEN      1/AdGuardHome
udp        0      0 :::53                   :::*                                1/AdGuardHome

Network backend on VM is netavark:

[mcmonster@esteban adguard]$ LANG=C sudo podman info --format {{.Host.NetworkBackend}}
netavark

And the container is connected to preexisting podman network:

[mcmonster@esteban adguard]$ podman network ls
NETWORK ID    NAME             DRIVER
f2783b4e4f73  adguard_default  bridge
2f259bab93aa  podman           bridge

I can open management interface on redirected port and AdGuard is running:

$ curl 10.0.0.4:8024
<a href="/login.html">Found</a>.

But I can’t query the DNS:

$ nslookup kernel.org 10.0.0.4
;; communications error to 10.0.0.4#53: timed out
;; communications error to 10.0.0.4#53: timed out

Can’t do it even from within the container:

/opt/adguardhome/work # nslookup kernel.org localhost
;; connection timed out; no servers could be reached

/opt/adguardhome/work # nslookup kernel.org 
Server:         10.0.0.1
Address:        10.0.0.1:53

Where’s the problem? What am I missing?

dunno if this applies to podman itself, but using ports under 1000/1024(dunno which is correct) requires root/sudo privileges so far. hope some1 can prove me wrong for this and may help you better as me.

1 Like

Forgot to mention it in the original post. You are correct, but it’s configurable on the podman host:

[mcmonster@esteban adguard]$ sudo sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 50

Without this the container would fail to start at all.

In the meantime I’ve found a possible solution using macvlans (can’t post a link). I’m too tired today, but will check that in the coming days and let you know.

Let me answer myself. There’s nothing wrong in podman. Or AdGuard (almost). It was a simple case of PEBKAC.

AdGuard has a feature to allow queries only from specific IP ranges. I forgot that I used it in the first place and changed adressing scheme in my home server when rebuilding it.

The only complaint I have for AdGuard is that it won’t say in the logs that disallowed client is trying to make queries.