Podman bridge net isolation
When running multiple containers using Podman somethimes it’s a good idea to prevent containers from “talking” to each other. Luckily with default network driver (bridge driver) it’s easy - the only roadblock is that this option differs a bit from that of Docker.
By default Docker networks are separated. Podmans aren’t - you need to add isolate: true option. With this flag set the networks with it can’t communicate with each other (but mind - those without this flag still can), but still can “talk” with the rest of the world.
If there’s a need to get a completely separated network there’s internal: true option. So only containers on that network can communicate with each other. They can’t reach outside, and can’t be reached.
Here’s a sample compose file to test it out:
name: pod-net-opts
services:
app1:
name: app1
image: jonlabelle/network-tools
command: tail -F anything
networks:
- app1-net
app2:
name: app2
image: jonlabelle/network-tools
command: tail -F anything
networks:
- app2-net
app3:
name: app3
image: jonlabelle/network-tools
command: tail -F anything
networks:
- app3-net
app4:
name: app4
image: jonlabelle/network-tools
command: tail -F anything
networks:
- app4-net
networks:
# can reach outside, can be reached
app1-net:
name: app1-net
driver: bridge
# can reach outside, can't be reached from other with isolate: true
# but watch out - regular bridged netw still can access it
# so app3 can't access app2 (and vice versa), but app1 can
app2-net:
name: app2-net
driver: bridge
driver_opts:
isolate: true
app3-net:
name: app3-net
driver: bridge
driver_opts:
isolate: true
# fully isolated, internal network
app4-net:
name: app4-net
internal: true
It uses image with basic networking tools already there, so this can be simply launched with podman compose up. Open a terminal sessions for the containers and try pinging etc up.
Sources:
https://docs.podman.io/en/v5.3.1/markdown/podman-network-create.1.html