To do this, I only had to add an extra ipvlan interface on the host which allowed me to talk into the containers if podman also uses ipvlan.
- Specify the network that the hosts will access this container from. E.g.,
10.0.0.0/16
- Allocate a subnet to use in the containers. Better if it is a subnet of my home network. E.g.,
10.0.99.0/24. This subnet should be dedicated to the containers on this host.
- Create an ipvlan podman network to use with the containers. It will be the same subnet as the host network, but IP allocation should be defined from the smaller subnet. E.g.:
sudo podman network create -d ipvlan --subnet 10.0.0.0/16 --ip-range 10.0.99.0/24 --ipam-driver host-local podnet
- Create a host IPVlan interface and assign it an IP address from the container network. E.g.,
10.0.99.1. This is the interface the host can use to talk to the containers.
- Update the podman network to skip the IP address used by the host:
sudo vim /etc/cni/net.d/podnet.conflist
and change rangeStart from 10.0.99.1 to 10.0.99.2.
To create the ipvlan interface with systemd, I had to
- Add a
IPVLAN = podnet to the [Network] section of the file defining my host network interface, which will create a podnet network interface plugged to the parent.
- Create configuration for the interface:
cat > /etc/systemd/network/podnet.netdev <<EOF
[NetDev]
Name = podnet
Kind = ipvlan
EOF
cat > /etc/systemd/network/podnet.network <<EOF
[Match]
Name = podnet
[Network]
IPForward = yes
Address = 10.0.99.1/24
EOF
In all fairness, the same approach worked with macvlan instead of ipvlan, but parts of my network were unable to reach the host with the MACVlan interface, so I switched to IPVlan for better interoperability.
Another issue I faced was due to podman defaulting to netavark, and netavark IPVlan support is only available in podman 4.5+, while I was still on 4.3. Switching the network backend to cni fixed this problem.
cat > /etc/containers/containers.conf <<EOF
[network]
network_backend = "cni"
EOF
