Hi,
I’ve recently decided to upgrade my home server setup, which included moving from docker to podman. Nothing against docker, but I wanted to try rootless containers and also podman has nice integration with Cockpit.
The problem is that I can’t connect to AdGuard’s DNS. I’ve tested it in rootful mode and it works like it did on docker.
My setup:
I have host Fedora 38 machine with single physical network interface. It runs a VM, also F38, that is my podman machine. On host I’ve created bridge0 with my single physical port as a member, bridge0 is attached to the VM. Both host and guest are accessible on the network with their separate IPs from DHCP. I can SSH into them and access Cockpit. SELinux is set to permissive on both host and guest.
Container is running on the VM:
[mcmonster@esteban adguard]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1afb03f53af5 docker.io/adguard/adguardhome:latest --no-check-update... 20 minutes ago Up 7 minutes 0.0.0.0:53->53/tcp, 0.0.0.0:3000->3000/tcp, 0.0.0.0:8024->80/tcp, 0.0.0.0:53->53/udp adguard
VM itself is listening
[mcmonster@esteban adguard]$ netstat -tunlp |grep rootless
(...)
tcp6 0 0 :::8024 :::* LISTEN 7468/rootlessport
tcp6 0 0 :::3000 :::* LISTEN 7468/rootlessport
tcp6 0 0 :::53 :::* LISTEN 7468/rootlessport
udp6 0 0 :::53 :::* 7468/rootlessport
Firewall allows DNS (both TCP and UDP)
[mcmonster@esteban adguard]$ sudo firewall-cmd --list-services
cockpit custom--8024 custom--81 custom--hbci dhcpv6-client dns http https ssh
Ports are open on the firewall as seen from my desktop PC:
$ nmap -p 8024,53 10.0.0.4
(...)
PORT STATE SERVICE
53/tcp open domain
8024/tcp open unknown
The container itself has network and is listening:
/opt/adguardhome/work # ip a
(...)
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 72:93:9a:9b:05:7d brd ff:ff:ff:ff:ff:ff
inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7093:9aff:fe9b:57d/64 scope link
valid_lft forever preferred_lft forever
/opt/adguardhome/work # netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::80 :::* LISTEN 1/AdGuardHome
tcp 0 0 :::53 :::* LISTEN 1/AdGuardHome
udp 0 0 :::53 :::* 1/AdGuardHome
Network backend on VM is netavark:
[mcmonster@esteban adguard]$ LANG=C sudo podman info --format {{.Host.NetworkBackend}}
netavark
And the container is connected to preexisting podman network:
[mcmonster@esteban adguard]$ podman network ls
NETWORK ID NAME DRIVER
f2783b4e4f73 adguard_default bridge
2f259bab93aa podman bridge
I can open management interface on redirected port and AdGuard is running:
$ curl 10.0.0.4:8024
<a href="/login.html">Found</a>.
But I can’t query the DNS:
$ nslookup kernel.org 10.0.0.4
;; communications error to 10.0.0.4#53: timed out
;; communications error to 10.0.0.4#53: timed out
Can’t do it even from within the container:
/opt/adguardhome/work # nslookup kernel.org localhost
;; connection timed out; no servers could be reached
/opt/adguardhome/work # nslookup kernel.org
Server: 10.0.0.1
Address: 10.0.0.1:53
Where’s the problem? What am I missing?