As of right now, I currently have a working Docker container for Caddy which can successfully get TLS certs and I am able to access my own test site with an external web browser.
What I want to do use the same files (Dockerfile, docker-compose.yml and Caddyfile) to do the same with Podman Compose. When I run podman compose up -d I am able to build the Caddy container and it will also successfully get it's own TLS cert.
docker-compose.yml
services:
caddy:
container_name: caddy
build: .
restart: always
ports:
- 80:80
- 5050:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
- /home/sxc-pi/shared/:/srv:Z
networks:
- reverse_proxy
volumes:
caddy_data:
caddy_config:
networks:
reverse_proxy:
external: true
While on the same device, I can use curl localhost:5050 and get the message Client sent an HTTP request to an HTTPS server. which is the same result as if I were using Docker. If I try to access my site through my domain name or local network ip address from an external device, the connection times out.
I didn't make any changes to my firewall or router's port forwarding because I expect Rootful Podman Compose to work similar to Docker.
I checked iptables and below are the differences between using Docker and Podman but I don't really know networking enough to understand what it's really saying
iptables differences
sxc-pi:/srv/caddy$ diff ~/iptables-docker ~/iptables-podman
***
/home/sxc-pi/iptables-docker
+++ /home/sxc-pi/iptables-podman
@@ -31,8 +31,6 @@
Chain DOCKER (2 references)
target prot opt source destination
-ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
-ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
@@ -70,15 +68,20 @@
Chain NETAVARK_FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
+ACCEPT all -- anywhere 10.89.0.0/24 ctstate RELATED,ESTABLISHED
+ACCEPT all -- 10.89.0.0/24 anywhere
Chain NETAVARK_INPUT (1 references)
target prot opt source destination
+ACCEPT udp -- 10.89.0.0/24 anywhere udp dpt:domain
+ACCEPT tcp -- 10.89.0.0/24 anywhere tcp dpt:domain
Chain NETAVARK_ISOLATION_2 (1 references)
target prot opt source destination
Chain NETAVARK_ISOLATION_3 (0 references)
target prot opt source destination
+DROP all -- anywhere anywhere
NETAVARK_ISOLATION_2 all -- anywhere anywhere
Chain ufw-after-forward (1 references)
I've also rebooted after starting the Podman containers incase there were any iptables issues but that still didn't help.
I've searched what I can but haven't gotten anything to work or get me closer to finding an answer.
I'm hoping to use Rootless Podman if I can figure this out, if not I have Docker as a fall back plan.
Any help or insight would be appreciated.
Use
ss -tlpnorpodman psto show what ports podman is listening on, my guess is it is only listening on localhost.podman ps shows the following:
netstat -tunplshows the following:The only difference for the netstat command between Docker and Podman is that Podman show's entries for aardvark-dns and Docker does not which is something I expect.
Disable the firewall if you can to check if that's the issue, then do a tcpdump using root with the port. Do tcpdump inside the container too and compare what you see to the docker environment.
Is caddy-caddy really the correct image?
Try with this command, it's the minimal setup that works by default (on my machine):
podman run -p 0.0.0.0:5050:80 docker.io/library/caddy:latest