allow_host_loopback=true does not work on MacOS

[miladhub]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I cannot reach / ping / telnet the host from a container.

Steps to reproduce the issue:

1. Create a file named "foo" with contents "bar"

$ echo bar >> foo

2. Create a web server on the folder

$ python3 -m http.server 8000

3. From another terminal tab, create a container with slirp4netns:allow_host_loopback=true from which to attempt a curl command:

$ podman run --rm --network slirp4netns:allow_host_loopback=true  docker.io/library/fedora \
    curl -sS http://10.0.2.2:8000/foo

Describe the results you received:

curl: (7) Failed to connect to 10.0.2.2 port 8000 after 0 ms: Connection refused

Describe the results you expected:

I had expected to see the contents, "bar", as if I were executing the curl command from the host:

$ curl -sS http://localhost:8000/foo
bar

Additional information you deem important (e.g. issue happens only occasionally):

I've tried the above steps both on an M1 Mac Book Air and from an Intel Mac Book Pro (2015), the result is the same. The Podman version is also the same in both environments.

Output of podman version:

Client:
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.17.2
Built:        Fri Nov 12 17:08:25 2021
OS/Arch:      darwin/arm64

Server:
Version:      3.4.1
API Version:  3.4.1
Go Version:   go1.16.8
Built:        Wed Oct 20 16:32:52 2021
OS/Arch:      linux/arm64

Output of podman info --debug:

host:
  arch: arm64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    variant: coreos
    version: "35"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.18-300.fc35.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 404496384
  memTotal: 2048815104
  ociRuntime:
    name: crun
    package: crun-1.3-1.fc35.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 8e5757a4e68590326dafe8a8b1b4a584b10a1370
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.aarch64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 2h 36m 25.79s (Approximately 0.08 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 4
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.1
  Built: 1634740372
  BuiltTime: Wed Oct 20 14:32:52 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/arm64
  Version: 3.4.1

Package info (e.g. output of rpm -q podman or apt list podman):

$ brew info podman
podman: stable 3.4.2 (bottled), HEAD
Tool for managing OCI containers and pods
https://podman.io/
/opt/homebrew/Cellar/podman/3.4.2 (170 files, 40.9MB) *
  Poured from bottle on 2021-12-04 at 14:04:37
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/podman.rb
License: Apache-2.0
==> Dependencies
Build: go ✘, go-md2man ✘
Required: qemu ✔
==> Options
--HEAD
	Install HEAD version
==> Caveats
zsh completions have been installed to:
  /opt/homebrew/share/zsh/site-functions
==> Analytics
install: 12,005 (30 days), 38,558 (90 days), 70,680 (365 days)
install-on-request: 12,009 (30 days), 38,563 (90 days), 70,652 (365 days)
build-error: 0 (30 days)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes.

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical, Mac Book Air M1.

[Luap99]

allow_host_loopback=true is a slipr4netns setting to allow the container to access the loopback adapter from the podman host. In the case of podman machine this is the VM not your macos host. To access your VM host you should use host.containers.internal dns name. The slirp option is not needed for this.

[miladhub]

It doesn't work either, regardless of the slirp4netns option:

$ podman run --rm docker.io/library/fedora curl -sS http://host.containers.internal:8000/foo
curl: (7) Failed to connect to host.containers.internal port 8000 after 1 ms: Connection refused
$ podman run --rm --network slirp4netns:allow_host_loopback=true docker.io/library/fedora curl -sS http://host.containers.internal:8000/foo
curl: (7) Failed to connect to host.containers.internal port 8000 after 2 ms: Connection refused

These are the contents of the /etc/hosts file in the two cases:

$ podman run --rm docker.io/library/fedora cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.88.0.2	61ed26b38390 frosty_dhawan
10.88.0.1 host.containers.internal
$ podman run --rm --network slirp4netns:allow_host_loopback=true docker.io/library/fedora cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# used by slirp4netns
10.0.2.100	1e601a0144a3 magical_gould
10.0.2.2 host.containers.internal

What IP / DNS name should I use from the container the VM host? I need to access my Mac.

Thanks in advance.

[Luap99]

Ah commit cf28dab was not backported to v3.4.

[miladhub]

Thank you for reopening, let me know if there's anything I can do to test.

[Luap99]

Does podman machine ssh nslookup host.containers.internal work for you?

[Luap99]

PR #12517 for the backport to 3.4

[miladhub]

podman machine ssh nslookup host.containers.internal

This is the result:

$ podman machine ssh nslookup host.containers.internal
Warning: Permanently added '[localhost]:56663' (ECDSA) to the list of known hosts.
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	host.containers.internal
Address: 192.168.127.254

[Luap99]

If you use 192.168.127.254 it should work, the PR linked above will allow host.containers.internal in the next 3.4 release

[miladhub]

I confirm that this command works:

$ podman run --rm docker.io/library/fedora curl -sS http://192.168.127.254:8000/foo

If you use 192.168.127.254 it should work, the PR linked above will allow host.containers.internal in the next 3.4 release

Great! So I'll wait for the next 3.4 and try it out. Thanks!

[Luap99]

Closing since the PR is merged, the next release happens today or tomorrow but you will need to wait until the podman version inside the VM is updated which will take at least two weeks.

[miladhub]

I'm now using podman 3.4.4, but the issue still remains - how exactly can I reach my MacOS machine from the container?

I've tried them all:

$ podman run --rm --network slirp4netns:allow_host_loopback=true  docker.io/library/fedora curl -sS http://host.containers.internal:8000/foo
curl: (7) Failed to connect to host.containers.internal port 8000 after 0 ms: Connection refused
$ podman run --rm docker.io/library/fedora curl -sS http://host.containers.internal:8000/foo
curl: (7) Failed to connect to host.containers.internal port 8000 after 0 ms: Connection refused
$ podman run --rm docker.io/library/fedora curl -sS http://localhost:8000/foo
curl: (7) Failed to connect to localhost port 8000 after 0 ms: Connection refused
$ podman run --rm --network slirp4netns:allow_host_loopback=true  docker.io/library/fedora curl -sS http://localhost:8000/foo
curl: (7) Failed to connect to localhost port 8000 after 0 ms: Connection refused

This is the /etc/hosts file in the two cases:

$ podman run --rm docker.io/library/fedora cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.88.0.2	103cd89dc1d2 clever_allen
10.88.0.1 host.containers.internal
$ podman run --rm --network slirp4netns:allow_host_loopback=true docker.io/library/fedora cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# used by slirp4netns
10.0.2.100	715d8a628890 jolly_cohen
10.0.2.2 host.containers.internal

My Mac's IP is:

$ ipconfig getifaddr en0
192.168.1.4

so I expected to find this IP in the container's /etc/hosts file.

[Luap99]

As stated before you have to wait until podman is updated inside the VM.

[miladhub]

Does this happen automatically in ~2 weeks, as you said?

[rhatdan]

yup

[miladhub]

I confirm that it now works:

$ podman version
Client:
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.17.3
Built:        Wed Dec  8 19:41:11 2021
OS/Arch:      darwin/arm64

Server:
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.16.8
Built:        Wed Dec  8 22:48:10 2021
OS/Arch:      linux/arm64
$ podman run --rm docker.io/library/fedora curl -sS http://host.containers.internal:8000/foo
bar

Thank you again!