Socket communication with an IP *.*.*.1 fails · containers/podman#28863

(5 comments) (0 reactions) (1 assignee)Go (31,686 stars) (3,107 forks)batch import

Good First Issuekind/bugnetworktriaged

Description

Issue Description

Socket communications cannot be achieved with an IP in ..*.1 in a created network ("connection refused").

(Hypothesis, cf how to reproduce) Podman allows to run a container with IP ..*.1 while it's already in use.

Steps to reproduce the issue

podman network create tmp --subnet 10.0.0.0/16
podman run --network tmp:ip=10.0.0.1 -it alpine
podman run --network tmp:ip=10.0.0.2 -it alpine
Try to make them communicate with sockets (I can add a minimalist example in go if needed)

Describe the results you received

The container is running with the requested IP but cannot dial with another (e.g. ...2) while containers in ...2 and ..*.[3-254] can communicate whithout any issue.

Describe the results you expected

If my hypothesis is right, a similar result than what we get with docker (i.e.: raise an error):

docker: Error response from daemon: failed to set up container networking: Address already in use

podman info output

host:
  arch: amd64
  buildahVersion: 1.43.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-1:2.2.1-1
    path: /usr/bin/conmon
    version: 'conmon version 2.2.1, commit: c8cc2c4db27531bd4e084ce7857f73cd21ee639d'
  cpuUtilization:
    idlePercent: 94.63
    systemPercent: 1.64
    userPercent: 3.73
  cpus: 12
  databaseBackend: sqlite
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2041
  hostname: archlinux
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 7.0.11-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 401129472
  memTotal: 14490955776
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    defaultNetwork: podman
    dns:
      package: aardvark-dns-1.17.1-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.17.1
    package: netavark-1.17.2-2
    path: /usr/lib/podman/netavark
    version: netavark 1.17.2
  ociRuntime:
    name: crun
    package: crun-1.28-1
    path: /usr/bin/crun
    version: |-
      crun version 1.28-dirty
      commit: 54f16ffbefcd022bf032af768b5c5ce075c18bfc
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +JSON_C
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-2026_05_26.038c51e-1
    version: |
      pasta 2026_05_26.038c51e
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4080107520
  swapTotal: 4294963200
  uptime: 3h 32m 59.00s (Approximately 0.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/<user>/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 0
    stopped: 4
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/<user>/.local/share/containers/storage
  graphRootAllocated: 511018270720
  graphRootUsed: 301843427328
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 58
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/<user>/.local/share/containers/storage/volumes
version:
  APIVersion: 5.8.2
  Built: 1776240370
  BuiltTime: Wed Apr 15 10:06:10 2026
  GitCommit: 5b263b5f5b48004a87caac44e67349a8266d9ef4
  GoVersion: go1.26.2-X:nodwarf5
  Os: linux
  OsArch: linux/amd64
  Version: 5.8.2

Podman in a container

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

It may be related but with podman it is possible to ping every address that have not yet been assigned to a container while it's not possible with docker.

Contributor guide

Tech stack: go
Domain: backend
Issue type: bug
Difficulty: 3
Estimated time: half day
Activity status: active
Clarity: clear
Prerequisites: Gonetworking
Newbie friendliness: 70
Research direction: Investigate the Podman networking code to understand why it allows assignment of IP addresses ending in .1 that may be in use. Check the netavark or Podman internal IP allocation logic. Compare with Docker's behavior to see where the validation is missing.