Podman-compose doesn't have network access

bam80 · May 16, 2026, 1:17pm

Hi, I need help with podman-compose setup.

I tried to follow the guide for podman here:

The network instructions there appear to work for bare podman (I managed to build the image with podman build, and during the build outside network was accessible).
In the result, new podman0 interface is added, with all firewall rules set suffice for wan network assess from within the container.

The problem arose with podman-compose - resulting container has no access to outside network.
I'm trying to run just simple Caddy web server with it.
On start, podman-compose apparently creates additional temporary podman1 interface (see 'sni-router_default' network below), which doesn't have all the firewall rules needed for network access, so outgoing connections are refused:

## in the compose dir
# podman-compose up
...
INFO:podman_compose:building images: ...
INFO:podman_compose:['podman', 'inspect', '-t', 'image', '-f', '{{.Id}}', 'sni-router_web']
INFO:podman_compose:['podman', 'inspect', '-t', 'image', '-f', '{{.Id}}', 'sni-router_haproxy']
INFO:podman_compose:['podman', 'ps', '--filter', 'label=io.podman.compose.project=sni-router', '-a', '--format', 'json']
INFO:podman_compose:podman pod exists pod_sni-router
INFO:podman_compose:exit code: 1
INFO:podman_compose:podman pod create --name=pod_sni-router --infra=false --share=
640a7714978873cfa4968ae9f85928643b8271a6739603650029c321e1fe50b3
INFO:podman_compose:exit code: 0
INFO:podman_compose:creating missing containers: ...

INFO:podman_compose:['podman', 'network', 'exists', 'sni-router_default']
INFO:podman_compose:['podman', 'network', 'create', '--label', 'io.podman.compose.project=sni-router', '--label', 'com.docker.compose.project=sni-router', 'sni-router_default']
INFO:podman_compose:['podman', 'network', 'exists', 'sni-router_default']
...

[web]     | {"level":"error","ts":1778934236.8158476,"logger":"tls.obtain","msg":"will retry","error":"... Obtain: registering account [] with server: provisioning client: performing request: Get \"https://acme-staging-v02.api.letsencrypt.org/directory\": dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.90.0.1:53: read udp 10.90.0.3:58393->10.90.0.1:53: read: connection refused","attempt":9,"retrying_in":1200,"elapsed":3739.669489355,"max_duration":2592000}

The podman1 interface has different subnet than the podman0 one, and I couldn't just use it in /etc/config/network instead:

# ip addr
...
1610: podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 16:e2:bf:13:10:59 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global podman0
       valid_lft forever preferred_lft forever
    inet 10.89.0.1/16 brd 10.89.255.255 scope global podman0
       valid_lft forever preferred_lft forever
1611: podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether a6:30:1e:43:14:47 brd ff:ff:ff:ff:ff:ff
    inet 10.90.0.1/24 brd 10.90.0.255 scope global podman1
       valid_lft forever preferred_lft forever
    inet6 fe80::a430:1eff:fe43:1447/64 scope link 
       valid_lft forever preferred_lft forever

At this point I'm pretty stuck.
Any help is appreciated, thanks.

@kirdes @Boilerplate4U @killgufo @phinn

kirdes · May 17, 2026, 9:56am

I don't use podman-compose. But according to the compose docs it's possible to set the network within the compose.yaml.

For example:

github.com/containers/podman-compose

tests/integration/default_net_behavior/docker-compose_one_net_compat.yaml

71e0fbd39


      
          services:
            web:
              image: busybox
              command: httpd -f -p 8123 -h /tmp/
          
          networks:
            net0: {}
          
          x-podman:
            default_net_behavior_compat: true

bam80 · May 17, 2026, 11:31am

Thanks, but what does it give me?
Can I somehow refer to the network including podman0 interface here?
Is that network even exists?

kirdes · May 17, 2026, 11:45am

Yeah, that's what I meant, refer to the existing network "podman0" should work.

bam80 · May 17, 2026, 8:37pm

With this network configuration, podman-compose apparently doesn't create a new network any more, thanks for the tip!

networks:
  default: 
    name: podman

## before the app start
# podman network ls
NETWORK ID    NAME        DRIVER
5ef894788bef  podman      bridge

# podman-compose up
...

## after the app start
# podman network ls
NETWORK ID    NAME        DRIVER
5ef894788bef  podman      bridge

Without this configuration, it created an extra sni-router_default network causing the problem:

# podman network ls
NETWORK ID    NAME                DRIVER
5ef894788bef  podman              bridge
c60ef0a756d0  sni-router_default  bridge

While this solution should work (I didn't test it from scratch), it requires podman-specific changes in the compose file.
I found another solution which doesn't require it, will report in the next comment.

bam80 · May 17, 2026, 9:02pm

So my solution is following.

In the Firewall Zone Settings of zone specially created for Podman, add the temporary podman1 interface to the "Covered devices":

That's OK even if the interface doesn't exist (when your containers are stopped):

This solves the original problem without changing the compose file.

I'll mark this as a solution, probably we should document both it and the above one in the Wiki.
If someone has something to add, please do.

Special thanks to @kirdes for reply and the tip