Podman network setup on Windows 11 with WSL2

[ktufekcic]

Hi all!

My company is trying to switch from Docker to Podman, but we're having some issues with one of our containers. If anyone is familiar with AEMaaCS's Dispatcher, that's the one.

It's supposed to open ports 80 and 443 and pass around traffic on those ports, among some other ports, this worked fine on Docker, but with Podman we're getting errors when it tries to bind to port 80 (possibly the same for port 443, but it breaks before it gets to that):
Wed Sep 4 07:22:05 UTC 2024 Monitoring reload trigger file existence at /etc/httpd/reload started
Starting httpd server
Setting up watches.
Watches established.
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Dispatcher is basically an apache server and there are some articles on how you could set it up manually, but those are either extremely basic or outdated.

Now, I've tried setting net.ipv4.ip_unprivileged_port_start to 0 or 80, but this didn't seem to do anything. After some further research, it turns out that networking works quite differently in Podman, and if my understanding is correct, in order for it to bind on port 80, the host machine itself needs to have port 80 open, which is a bit of an issue because we have security policies on our machines that interfere with this, and ideally we'd like to avoid this, and make it work more similarly to how Docker does it, where it has it's own network and ports opened on that network are only available on the host machine.

Do note that proxies of any kind are somewhat acceptable as solutions, but it's worth keeping in mind that the container in question and it's image can't be reasonably modified and shouldn't if at all avoidable, so any changes need to be done ideally in the podman machine running in WSL.

If this makes any difference, this solution (if one is found) will be (again, ideally) automated so all developers can use it.

Thank you all in advance and sorry if I missed an answer to this somewhere.

[rhatdan]

Are you using rootless or rootful podman? Rootless containers would not be allowed to bind to the local port 80 or 443, since they are less then 1024

[ktufekcic]

I've tried both, it might be worth pointing out that when I say rootful I mean I used Podman Desktop app and when creating the machine I specified the option

[ktufekcic]

If it's any help, this is the portion of the cmd script that is used to load the image and start the container, there's some more that sets some of the values and does some checks, but I believe this is the only relevant part. If needed, I do have the tarball of the image, I could extract the data from it and some other values, but I doubt any of this is necessary, however, just in case:

rem Verify docker file is available
set repo=adobe
set image=aem-cs/dispatcher-publish
set version=2.0.184
set "imageurl=%repo%/%image%:%version%"

for /F "tokens=* USEBACKQ" %%f in (`podman images -q %imageurl%`) do (
    set location=%%f
)

rem Load docker file
if [%location%] equ [] (
    echo Required image not found, trying to load from archive...
    for %%F in (%0) do set dirname=%%~dpF
    set file=!dirname!..\lib\dispatcher-publish-amd64.tar.gz
    if not exist !file! (
        echo ** error: unable to find archive at expected location: !file!
        exit /B 2
    )
    podman load -i !file!
    if !ERRORLEVEL! neq 0 (
        exit /B 2
    )
)

rem Run docker
if [%localport%] equ [test] (
    podman run --rm %volumes% %envvars% --env SKIP_BACKEND_WAIT=true --env SKIP_CONFIG_TESTING=true %imageurl% /usr/sbin/httpd-test
    if "!HTTPD_DUMP_VHOSTS!" == "true" (
        podman run --rm --entrypoint test %imageurl% -f /usr/sbin/httpd-vhosts
        if !ERRORLEVEL! NEQ 0 (
            set volumes=-v ^"%scriptDir%..\lib\httpd-vhosts:/usr/sbin/httpd-vhosts:ro^" !volumes!
        )
        podman run --rm !volumes! %envvars% --env SKIP_BACKEND_WAIT=true --env SKIP_CONFIG_TESTING=true %imageurl% /usr/sbin/httpd-vhosts
    )
) else (
    podman run --rm -p %localport%:80 -p 443:443 %volumes% %envvars% %imageurl%
)

The value of %localport% is 8080, and the container does start, but it immediately shuts down due to the failure in the initial message.

And since the first reply, I attempted to create a new podman machine via CLI, without the desktop app, but that didn't seem to make a difference

EDIT: I've also attempted to create a machine with --rootful --username=root parameters to completely avoid creating a non root user, and also (pointlessly) --user-mode-networking, but this still has the same result. The theory from above that this all stems from network config, and that podman is actually attempting to either open or use ports on the host machine seems to be more plausible