return to main page
graph TB
a1[curl] -.->a2[traefik container reverse proxy]
a2 -->|"for http://whoami"| a3["whoami container"]
Set up a systemd user service example1.service for the user test where rootless podman is running the container image localhost/traefik. Configure socket activation for TCP ports 80 and 443.
-
Verify that unprivileged users are allowed to open port numbers 80 and above. Run the command
cat /proc/sys/net/ipv4/ip_unprivileged_port_startMake sure the number printed is not higher than 80. To configure the number, see https://rootlesscontaine.rs/getting-started/common/sysctl/#allowing-listening-on-tcp--udp-ports-below-1024
-
Create a test user
sudo useradd test -
Open a shell for user test
sudo machinectl shell --uid=test -
Optional step: enable lingering to avoid services from being stopped when the user test logs out.
loginctl enable-linger test -
Create directories
mkdir -p ~/.config/systemd/user mkdir -p ~/.config/containers/systemd -
Pull the traefik container image
podman pull docker.io/library/traefik -
Pull the whoami container image
podman pull docker.io/traefik/whoami -
Clone git repo
git clone https://github.com/eriksjolund/podman-traefik-socket-activation.git -
Install the container unit files
cp podman-traefik-socket-activation/examples/example1/*.container \ ~/.config/containers/systemd/ -
Install the network unit file
cp podman-traefik-socket-activation/examples/example1/mynet.network \ ~/.config/containers/systemd/ -
Install the socket unit files
cp podman-traefik-socket-activation/examples/example1/*.socket \ ~/.config/systemd/user/ -
Reload the systemd user manager
systemctl --user daemon-reload -
Start the podman socket. (The path to the unix socket is
$XDG_RUNTIME_DIR/podman/podman.sockwhich would for example expand to /run/user/1003/podman/podman.sock if the UID of the user test is 1003)systemctl --user start podman.socket -
Start the socket for TCP port 80
systemctl --user start http.socket -
Start the socket for TCP port 443
systemctl --user start https.socket -
Start the whoami container
systemctl --user start whoami.service -
Start the traefik container
systemctl --user start mytraefik.serviceThis step was added due to traefik issue 7347.
-
Wait a few seconds
sleep 3This is also related to traefik issue 7347. Traefik sends
READY=1before traefik is ready. -
Download a web page http://whoami from the traefik container and see that the request is proxied to the container whoami. Resolve whoami to 127.0.0.1.
$ curl -s --resolve whoami:80:127.0.0.1 http://whoami:80 Hostname: 0315603f400d IP: 127.0.0.1 IP: ::1 IP: 10.89.0.2 IP: fe80::18fe:c3ff:fe9e:d8ee RemoteAddr: 10.89.0.3:37168 GET / HTTP/1.1 Host: whoami User-Agent: curl/8.6.0 Accept: */* Accept-Encoding: gzip X-Forwarded-For: 127.0.0.1 X-Forwarded-Host: whoami X-Forwarded-Port: 80 X-Forwarded-Proto: http X-Forwarded-Server: 046d07b93fc9 X-Real-Ip: 127.0.0.1result: The IPv4 address 127.0.0.1 matches the IP address of X-Forwarded-For and X-Real-Ip
-
Check the IPv4 address of the main network interface. Run the command
hostname -IThe following output is printed
192.168.10.108 192.168.39.1 192.168.122.1 fd25:c7f8:948a:0:912d:3900:d5c4:45adresult: The IPv4 address of the main network interface is 192.168.10.108 (the address furthest to the left)
-
Download a web page http://whoami from the traefik container and see that the request is proxied to the container whoami. Resolve whoami to the IP address of the main network interface. Run the command
curl --resolve whoami:80:192.168.10.108 http://whoamiThe following output is printed
Hostname: 0315603f400d IP: 127.0.0.1 IP: ::1 IP: 10.89.0.2 IP: fe80::18fe:c3ff:fe9e:d8ee RemoteAddr: 10.89.0.3:37168 GET / HTTP/1.1 Host: whoami User-Agent: curl/8.6.0 Accept: */* Accept-Encoding: gzip X-Forwarded-For: 192.168.10.108 X-Forwarded-Host: whoami X-Forwarded-Port: 80 X-Forwarded-Proto: http X-Forwarded-Server: 046d07b93fc9 X-Real-Ip: 192.168.10.108result: The IPv4 address of the main network interface, 192.168.10.108, matches the IPv4 address of X-Forwarded-For and X-Real-Ip
-
From another computer download a web page http://whoami from the traefik container and see that the request is proxied to the container whoami.
curl --resolve whoami:80:192.168.10.108 http://whoamiThe following output is printed
Hostname: 0315603f400d IP: 127.0.0.1 IP: ::1 IP: 10.89.0.2 IP: fe80::18fe:c3ff:fe9e:d8ee RemoteAddr: 10.89.0.3:42586 GET / HTTP/1.1 Host: whoami User-Agent: curl/8.7.1 Accept: */* Accept-Encoding: gzip X-Forwarded-For: 192.168.10.161 X-Forwarded-Host: whoami X-Forwarded-Port: 80 X-Forwarded-Proto: http X-Forwarded-Server: 046d07b93fc9 X-Real-Ip: 192.168.10.161Check the IP address of the other computer (which in this example runs macOS). In the macOS terminal run the command
ipconfig getifaddr en0The following output is printed
192.168.10.161result: The IPv4 address of the other computer matches the IPv4 address of X-Forwarded-For and X-Real-Ip
troubleshooting tip: If the curl command fails with
Connection timed outorConnection refused, then there is probably a firewall blocking the connection. How to open up the firewall is beyond the scope of this tutorial.
The file mynet.network currently contains
[Network]
Internal=true
The line
Internal=true
prevents containers on the network to connect to the internet. To allow Containers on the network to download files from the internet you would need to remove the line.