Podman Basics 05: Podman Networks

~ tmolnar0831

Podman offers a robust network management system that allows for seamless communication between containers. This feature is particularly useful in modern software development, where multiple services often need to interact with each other.

Podman networks are a crucial component of the Podman ecosystem, enabling containers to communicate with each other and with the host machine. These networks are created using the podman network create command, which allows you to define the network’s name, driver, and other settings. Once created, containers can be connected to the network using the podman run command with the --network option.

Benefits of using Podman networks

  1. Efficient communication: Podman networks enable the communication between containers, allowing them to exchange data and services seamlessly. This is particularly useful in microservices architectures, where multiple services need to interact with each other.
  2. Improved security: Podman networks provide an additional layer of security by isolating containers from each other and from the host machine. This isolation prevents unauthorized access to sensitive data and services, ensuring the integrity of your application.
  3. Simplified network configuration: Podman networks simplify network configuration by providing a centralized management system. This eliminates the need to configure network settings for each container individually, making it easier to manage complex network topologies.

Security considerations

When using Podman networks, it is essential to consider security implications. One critical aspect is the exposure of ports. By default, Podman can expose ports only above 1024 to ensure compatibility with systems that restrict access to lower ports. This is a security measure to prevent unauthorized access to sensitive services.

Best practices for using Podman networks

  1. Use secure networking: Always use secure networking options, such as IPTables or SELinux, to restrict access to your containers and networks.
  2. Limit port exposure: Limit the exposure of ports to only those required by your application. This reduces the attack surface and minimizes the risk of unauthorized access.
  3. Monitor network activity: Regularly monitor network activity to detect and respond to potential security threats.
  4. Use network policies: Implement network policies to define rules for network traffic, ensuring that only authorized traffic is allowed to flow between containers.

Podman networks offer a powerful tool for managing containerized applications, providing efficient communication, improved security, and simplified network configuration. By understanding the security implications of using Podman networks and following best practices, you can ensure the secure operation of your applications. Remember to limit port exposure, use secure networking options, and monitor network activity to maintain the integrity of your application.

Podman network drivers

The main network drivers in Podman are bridge, host, and none. The bridge driver creates a private internal network on the host machine, allowing containers to communicate with each other. The host driver makes the container use the host’s network stack directly, which means the container shares the host’s IP address and network interfaces. The none driver disables all networking for the container, effectively isolating it. By default, Podman uses the bridge network driver. This means that when you start a container, it connects to a virtual network bridge on your host machine, allowing it to communicate with other containers on the same network while keeping it isolated from external networks unless explicitly allowed. This setup provides a good balance of connectivity and security for most use cases.

Expose ports

The --publish (or -p) option in Podman is used to expose and map network ports from your container to the host machine, making it accessible from outside the container. When you run a container, it operates in its own isolated environment, including its own network stack. By default, services running inside the container are not accessible from the outside.

Using --publish, you can specify which ports on the container should be available and map them to ports on the host. For example, --publish 8000:80 maps port 80 inside the container (commonly used for web servers) to port 8080 on the host. This way, when you access localhost:8000 on your host machine, you’re actually reaching the service running inside the container on port 80. This is essential for running web servers, databases, or any networked service in a container that you want to interact with from outside the container environment.

As an example let’s pull the nginx image:

podman image pull docker.io/library/nginx:alpine 
Trying to pull docker.io/library/nginx:alpine...
Getting image source signatures
Copying blob 13fcfbc94648 done  
Copying blob 5406ed7b06d9 done  
Copying blob d4bca490e609 done  
Copying blob e6ef242c1570 done  
Copying blob fc21a1d387f5 done  
Copying blob 4abcf2066143 skipped: already exists  
Copying blob 8a3742a9529d done  
Copying blob 0d0c16747d2c done  
Copying config 501d84f5d0 done  
Writing manifest to image destination
Storing signatures
501d84f5d06487ff81e506134dc922ed4fd2080d5521eb5b6ee4054fa17d15c4

If you start the image without publishing the HTTP port you cannot reach the service by default:

podman run --rm docker.io/library/nginx:alpine

Then in another window try to reach the web server:

curl localhost:80
curl: (7) Failed to connect to localhost port 80 after 0 ms: Couldn't connect to server

Publish the port 8000 with the --publish option and map it to the port 80 in the container:

podman run --rm --publish 8000:80 docker.io/library/nginx:alpine

This time the service is available with using the curl localhost:8000 command.

Podman network operations

List networks

This is the most basic network operation. You can list all of the available networks with the following command:

podman network ls
NETWORK ID    NAME         DRIVER
8b03cfaff361  n_semaphore  bridge
2f259bab93aa  podman       bridge

By default Podman creates a network called podman that is a bridged network to the host network.

Create a network

You can create additional networks with the following command:

podman network create n_networkname
n_networkname

Your containers added to the same network will reach each other. Other containers outside of the network will not reach any of them.

Remove a network

You can remove networks by name:

podman network rm n_networkname 
n_networkname

Prune the networks

Be careful with the prune command! It will remove all networks that is not used by a container.

podman network prune
WARNING! This will remove all networks not used by at least one container.
Are you sure you want to continue? [y/N] y
n_semaphore

An unused network is defined as a network that has no containers connected or configured to connect to it. This command does not remove the default network named podman.

If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES

Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe

Published by tmolnar0831

My name is Tom, and I’m the founder and main contributor to Tom's IT Cafe. I’m a technology enthusiast and IT professional with over two decades of experience in the industry.

Leave a comment