contrib/sni-router: document OpenWrt + podman-compose network workaround#523
Merged
Conversation
OpenWrt firewall zones are bound to interface names. With bare podman you can pin the static podman0 bridge into a zone, but podman-compose creates a project-scoped network and netavark spawns a fresh bridge (podman1, podman2, ...) per project — with no firewall rules — so containers lose outbound access. Mark the default network as external/name=podman to attach to the router-managed podman0 instead. Background: #513.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents a footgun spotted via discussion #513: when the
contrib/sni-routerstack is deployed on OpenWrt withpodman-compose, containers lose outbound network access.Root cause:
podman-compose upcreates a project-scoped network, and netavark spawns a fresh bridge (podman1,podman2, …) for it that has no firewall rules — OpenWrt zones are bound to interface names and only know about the staticpodman0from/etc/init.d/podman.The fix is a one-liner the user adds to their local
docker-compose.yml:This PR just adds a short "OpenWrt + podman-compose" section to the sni-router README explaining this, with links to the discussion and the OpenWrt forum thread where two solutions were vetted. Doc-only; no code, no compose-file change (Docker users see no diff).
Background
Notes
external: trueform over plainname: podmanbecause the router-managedpodman0may have IPAM/driver settings that don't match what compose would otherwise try to assert, leading to "network already exists with different settings".external: truemakes "do not touch this network" explicit.docker-compose.yml— it stays portable for Docker users; the README points OpenWrt users at the local override they need.