Podman in 23.05

After upgrading to 23.05 my containers stopped working. It seems to be caused by podman switching from cni to netavark. There is /etc/config/netavark, but it selects the none driver, so I guess I have to create a bridge and configure firewall for podman manually. Does anyone have a working configuration that integrates with the system firewall?

I think @oskari.rauta is using podman on his router, as it gets updates from time to time. Maybe he can help you with that.

Working examples and instructions:


I was able to get it working in the meantime with a bridge like this:

config device
	option name 'podman'
	option type 'bridge'
	option bridge_empty '1'

config interface 'podman'
	option proto 'static'
	option device 'podman'
	option ipaddr ...
	option netmask ...

podman.json specifies that bridge and started containers have a veth interface added to the bridge. It survives reloading firewall. I have no idea what the cni proto/device does and if there are any advantages in my use case.

cni protocol allows defining a cni/netavark network binded to physical (except really it's virtual) device dynamically. Your config does pretty much the same with exception that you need to configure it twice; once for cni/netavark and once in the network configuration.

Both solutions work, in my case, I rather want it to distinguish to make network configuration more clear; but surely it sticks out enough also with network name (podman) as well.

cni-protocol and it's luci counterpart are support packages to ease the process making it a bit more stream-lined and less kind of where user needs to wonder that how am I supposed to do this... But it's all in the perspection of viewer, which way to go and it's great that there are multiple solutions available.

By the way, I recommend to begin moving to netavark, as cni is deprecated and in any up-coming release it might be dropped out. There were good things with cni, where one being that it was significantly simpler and smaller in binary size (netavark is written in rust) - but it's what they have decided: https://github.com/containers/podman/blob/main/cni/README.md

cni-protocol package has nothing to do with "cni" - it's more a "externally managed general protocol"; so moving to netavark or using it for something else has nothing to do with cni; I just didn't want to rename it to netavark-protocol or do other things such as that.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.