How should I proxy using pasta in Podman 5.x?

[Wardrop]

Hi all,

I'm new to Podman and have feel like I've been thrown into the deep end a little bit with respect to networking in Podman 5.x and the change from slirp4netns to pasta. I'm trying to do all the right things, running as rootless, using port mapping, keeping everything separate, etc, but I'm running into some road blocks.

The change to pasta from what I understand essentially breaks the ability to communicate with the host from within the container, which because of how networking works under pasta, also breaks the ability for containers/pods to communicate between each other unless they're in the same pod (or shared network). This is because all the containers essentially get the IP address of the host, and hence unless the host is assigned two or more IP addresses, can't be routed to. Some version of podman 5.x tried to address this by introducing the host.containers.internal hostname which is injected into the hosts file of all containers. This points to 169.254.1.2 within the container which is apparently now the default IP address for host-container communication.

I remain confused though about how I'm supposed to configure say an Nginx proxy in Podman while respecting best practices and recommended defaults. I can't rely on host.containers.internal as not everything respects /etc/hosts entries, including Nginx in some situations (Nginx Proxy Manager can't deal with host file entries for example). Am I therefore supposed to use 169.254.1.2? What if my containers move around between hosts; the service I'm proxying might be on the same host today, but could be on another container host next week. Ideally my configuration should allow me to move my proxy onto another host and continue to work like nothing changed; the proxy service shouldn't need to know if it's on the same host or not. It undermines one of the benefits of containerisation.

I feel like I need someone to tell me how I'm supposed to configure podman for this common scenario? Am I missing something, or is there just no ideal solution at the moment? I feel like to solve this problem I need to do something not recommended, like changing back to slirp4netns, or changing my networking mode to host, or running containers as root, or sharing a network between all my containers, etc. No solution feels appropriate. As we transition some of our services to podman, I also need to educate my colleagues on these things and so I need a solid and predictable solution that can be relied on.

Thoughts?

[Wardrop]

In the meantime, I'm going to run with my proxy container set to "host" networking. Not ideal I suppose but seems to be the simplest option with the least compromises.