cross-posted from: https://programming.dev/post/39212874
I recently migrated my services from rootful
dockerto rootlesspodman quadlets. It went smoothly, since nothing I use actually needs to be rootful. Well, except forcaddy. It needs to be able to attach to privileged ports 80 and 443.My current way to bypass it is using
HAProxyrunning as root and forwarding connections using proxy protocol. (Tried to usefirewalldbut that makes the client IP opaque tocaddy.) But that adds an extra layer, which means extra latency. It’s perfectly usable, but I’d like to get rid of it, if possible.I’m willing to run
caddyin rootfulpodmanif needed. But from what I understand, that means I can’t have it in the same rootless network as my other containers. I really don’t wanna open most of my containers’ ports, so that’s not an option.So, I’m asking whether any of these three things are possible.
- Use
firewalldto forward ports tocaddywithout obscuring the client’s IP.- Make rootful
caddyshare a network with other rootless containers.- Assign privileged ports to caddy somehow, in rootless mode. (I know there’s a way to make all these ports unprivileged, but is it possible to only assign these 2 ports as unprivileged?)
Or maybe there’s a fourth way that I’m missing. I feel like this is a common enough setup, that there must be a way to do it. Any pointers are appreciated, thanks.
Hi,
The client IP problem is a longstanding issue in podman’s virtual bridge networks.
As a workaround I’d run HAProxy rootless, using the
pastanetworking mode as that one allows seeing native client IP. With pasta’s-Tflag (see docs) I’d forward traffic to another caddy container binding to127.0.0.1:8080or something similar.This would coincide with your firewalld/HAProxy port-forwarding setup, but it has more rootlessness to it. It’s still not perfect and you’d still need to tweak sysctls, but I hope it may be useful