[RHEL podman 5.4] pasta should map the host's hostname by default

[Romain-Geissler-1A]

Issue Description

Hi,

Using a rather up to date RHEL 9.6, coming with Red Hat's podman 5.4.0, and thus using past by default, I am unable to connect to the host running podman from inside a running container. We had this issue with podman 5.2 already, thus we hardcoded in our containers.conf:

[network]
# Keep the default we used to have before podman 5.                                                                                                                                        
# TODO: remove this (and so use the podman 5 default of "pasta") when we will migrate to podman >= 5.3.
# Right now we suffer from https://github.com/containers/podman/issues/19213: with podman 5.2 default                                                                                      
# options, we can no longer reach the host where podman is running, typically to ssh into the host. It
# ends up with "connection refused" (if no ssh server is used), or tries to connect to the container                                                                                       
# ssh server (if ssh server runs) instead of the actual host ssh.                                                                                                                          
# This is fixed by https://github.com/containers/podman/pull/23791 which is included in podman 5.3                                                                                         
default_rootless_network_cmd = "slirp4netns"

however now trying to remove this workaround as we use podman 5.4, it still doesn't work by default, while I think it should.

Steps to reproduce the issue

Steps to reproduce the issue

1. Run this, as rootless user, with a default config, on a host that has an ssh deamon running and where $(hostname) returns the fully qualified dns name of the host (in my case, it returns nceoberhel0058.rnd.amadeus.net):

rgeissler@nceoberhel0058:~/workspace/toolchain (release/25.0 $|u=)> podman run -t -i --rm fedora sh -c "dnf install -y telnet && telnet $(hostname) 22"
Updating and loading repositories:
 Fedora 41 - x86_64                                                                                                                                                                        100% |  20.3 MiB/s |  35.4 MiB |  00m02s
 Fedora 41 openh264 (From Cisco) - x86_64                                                                                                                                                  100% |   6.6 KiB/s |   5.8 KiB |  00m01s
 Fedora 41 - x86_64 - Updates                                                                                                                                                              100% |  15.1 MiB/s |  10.1 MiB |  00m01s
Repositories loaded.
Package                                                                       Arch             Version                                                                        Repository                                       Size
Installing:
 telnet                                                                       x86_64           1:0.17-93.fc41                                                                 fedora                                      108.9 KiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 62 KiB. Need to download 62 KiB.
After this operation, 109 KiB extra will be used (install 109 KiB, remove 0 B).
[1/1] telnet-1:0.17-93.fc41.x86_64                                                                                                                                                         100% | 487.9 KiB/s |  62.0 KiB |  00m00s
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/1] Total                                                                                                                                                                                100% | 244.9 KiB/s |  62.0 KiB |  00m00s
Running transaction
[1/3] Verify package files                                                                                                                                                                 100% |   0.0   B/s |   1.0   B |  00m00s
[2/3] Prepare transaction                                                                                                                                                                  100% |  21.0   B/s |   1.0   B |  00m00s
[3/3] Installing telnet-1:0.17-93.fc41.x86_64                                                                                                                                              100% |   3.7 MiB/s | 110.0 KiB |  00m00s
Complete!
Trying 10.64.176.26...
telnet: connect to address 10.64.176.26: Connection refused 

2. If I explicitly add the $(hostname) host, then it works, but I wish it would work out of the box, without that explicit argument:

rgeissler@nceoberhel0058:~/workspace/toolchain (release/25.0 $|u=)> podman run -t -i --rm --add-host=$(hostname):host-gateway fedora sh -c "dnf install -y telnet && telnet $(hostname) 22"
Updating and loading repositories:
 Fedora 41 - x86_64                                                                                                                                                                        100% |  23.1 MiB/s |  35.4 MiB |  00m02s
 Fedora 41 openh264 (From Cisco) - x86_64                                                                                                                                                  100% |   8.8 KiB/s |   5.8 KiB |  00m01s
 Fedora 41 - x86_64 - Updates                                                                                                                                                              100% |  15.7 MiB/s |  10.4 MiB |  00m01s
Repositories loaded.
Package                                                                       Arch             Version                                                                        Repository                                       Size
Installing:
 telnet                                                                       x86_64           1:0.17-93.fc41                                                                 fedora                                      108.9 KiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 62 KiB. Need to download 62 KiB.
After this operation, 109 KiB extra will be used (install 109 KiB, remove 0 B).
[1/1] telnet-1:0.17-93.fc41.x86_64                                                                                                                                                         100% | 424.4 KiB/s |  62.0 KiB |  00m00s
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/1] Total                                                                                                                                                                                100% | 104.3 KiB/s |  62.0 KiB |  00m01s
Running transaction
[1/3] Verify package files                                                                                                                                                                 100% |   0.0   B/s |   1.0   B |  00m00s
[2/3] Prepare transaction                                                                                                                                                                  100% |  20.0   B/s |   1.0   B |  00m00s
[3/3] Installing telnet-1:0.17-93.fc41.x86_64                                                                                                                                              100% |   3.7 MiB/s | 110.0 KiB |  00m00s
Complete!
Trying 10.64.176.26...
telnet: connect to address 10.64.176.26: Connection refused
Trying 169.254.1.2...
Connected to nceoberhel0058.rnd.amadeus.net.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.7
^C^C^C^C^C^C^C
Connection closed by foreign host.

Describe the results you received

Rootless users are by default unable to reach the host from inside a container.

Describe the results you expected

Rootless users shall by default be able to reach the host from inside the container. Docker (which is used as a rootful deamon 99.99% of the time :( ) allows it by default, so this is kind of an expectation from the OCI engine user that it does work out of the box. It was also working by default before pasta was used by default in podman 5.

podman info output

Client:       Podman Engine
Version:      5.4.0
API Version:  5.4.0
Go Version:   go1.23.9 (Red Hat 1.23.9-1.el9_6)
Built:        Wed Jun  4 10:43:04 2025
OS/Arch:      linux/amd64

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response

[mheon]

Is there a reason you cannot use the host.containers.internal alias? I believe there are technical limitations around this sort of connection which we can work around, but not if you access directly via external IP. @Luap99 and @sbrivio-rh would know more

[Romain-Geissler-1A]

It might be possible, but for me it feels more like a workaround on user side than something that actually makes sense. I can hardly explain my users that they can reach absolutely all machines we have internally, all except the very one they use to run their containers. Plus then since we also use docker, I will have to tell them: if you run in this environment, you have to use host.containers.internal, otherwise, with the very same container, but run with a different container engine, you will have to use directly the host name, or host.docker.internal. I understand that technically there are implementation details which prevents from implementing this easily, but from user point of view it's really super strange that all machines are reachable, except the host.

I got caught myself multiple times by this: starting a container to quickly experiment a thing, then trying to pull/push my experimentation from a git repo on my machine and ah.... I can't connect to my machine, and now it's too late to update the container config to make it work.... So I use a third machine as jump server, not really convinient.

[Luap99]

Well here is the thing, slirp4netns didn't allow host connection explicitly either. It just happen to work because slirp4netns picked one ip (10.0.2.100), so all other ips were rotatable... But if you host also uses 10.0.2.100 well then you are just out of luck and would need to configure slirp4netns to use a different ip which is also possible with pasta. But the thing with pasta is we know have a well defined hostname host.containers.internal to always allow such connection.

Pasta simply choose a different default by not picking a static ip to use but rather reuses the same as the host to avoid "NAT", this comes with other advantages. Some services require a local subnet and don't allow connections from another subnet with pasta this just works.

Anyway no need to rehash the same points over and over, I wrote in detail on our blog and there are plenty of already existing issues on this repo. If you want the old slirp behavior just configure pasta to use a static ip

pasta_options = ["-a", "10.0.2.100", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "10.0.2.3"]

https://blog.podman.io/2024/03/podman-5-0-breaking-changes-in-detail/
https://blog.podman.io/2024/10/podman-5-3-changes-for-improved-networking-experience-with-pasta/