Containers within a pod can use localhost to access each other. Containers outside of the pod needs to use the pod name to access the containers in the pod.

I looked up when pasta became the default networking backend for rootless and it seems to have been with podman 5.0. I do remember using podman 5.x versions, so I was most likely using pasta.

The reason why I seperated each app into their own network was indeed for security. The only container with access to all the networks is the reverse proxy.

I made a comment on another post a while ago, talking a bit about inter-container/pod networking.

https://sh.itjust.works/comment/17072681

Yeah obsidian’s pretty nice. I use the daily notes feature built into it for my journal.

I ran a podman quadlet setup as a test some time ago. My setup was a little like this:

• Create a pod if the app uses multiple containers
• Create a seperate network for each app (an app is either a single container or multiple containers grouped in a pod)
• Add the reverse proxy container to all networks
• I don’t expose any ports to the host unless necessary

If you create a new network in podman you can access other containers and pods in the same network with their name like so container_name:port or pod_name:port. This functionality is disabled in the default network by default. This works at least in the newer versions last I tried, so I have no idea about older podman versions.

For auto-updates just add this in your .container file under [Container] section:

[Container]
AutoUpdate=registry

Now there’s two main ways you can choose to update:

1. Enable podman-auto-update.timer to enable periodic updates similar to watchtower
2. Run podman auto-update manually

# Check for updates
podman auto-update --dry-run

# Update containers
podman auto-update