Hi,
My photoprism WebGUI is showing ERR_CONNECTION_TIMED_OUT When I tried to access from my desktop browser.
I tried `curl` from my desktop but still times out curl: (28) Failed to connect to 192.168.50.100 port 2342: Connection timed out
Then I ssh-ed into OMV and tried curl and I got the proper response (I assume)
So I think this seems to be a networking issue. I don't have any ip rules set from OMV GUI. Does anyone know if there is any extra step for the podman/photoprism regarding networking to make the photoprism WebGUI accessible from other machines in the local network?
Photoprism not accessible from local network
-
-
Code
Display More# iptables -nvL --table nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1427 87986 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 1395 86050 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1059 105K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 1617 141K CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 17 5122 MASQUERADE all -- * !br-a1c181032ff0 172.21.0.0/16 0.0.0.0/0 7329 1069K CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */ 0 0 MASQUERADE all -- * !docker_gwbridge 172.18.0.0/16 0.0.0.0/0 2429 293K MASQUERADE all -- * !br-5e7e2b0ef60c 172.19.0.0/16 0.0.0.0/0 32 6154 MASQUERADE all -- * !br-4ff5124ddf29 172.20.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:9000 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:8000 0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:8088 0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:6881 0 0 MASQUERADE udp -- * * 172.19.0.2 172.19.0.2 udp dpt:6881 0 0 MASQUERADE tcp -- * * 172.21.0.2 172.21.0.2 tcp dpt:8929 0 0 MASQUERADE tcp -- * * 172.21.0.2 172.21.0.2 tcp dpt:22 0 0 MASQUERADE tcp -- * * 172.20.0.2 172.20.0.2 tcp dpt:19999 0 0 CNI-2e01ef6200ee9e6547c06caf all -- * * 172.16.16.10 0.0.0.0/0 /* name: "podman" id: "f71f3b4be46e1b98cb1f4c3a8d9827e8f0ef11671142472c381947192cd9b790" */ Chain CNI-2e01ef6200ee9e6547c06caf (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.16.0/24 /* name: "podman" id: "f71f3b4be46e1b98cb1f4c3a8d9827e8f0ef11671142472c381947192cd9b790" */ 0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "f71f3b4be46e1b98cb1f4c3a8d9827e8f0ef11671142472c381947192cd9b790" */ Chain CNI-DN-2e01ef6200ee9e6547c06 (1 references) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 172.16.16.0/24 0.0.0.0/0 tcp dpt:2342 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:2342 120 6560 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2342 to:172.16.16.10:2342 Chain CNI-HOSTPORT-DNAT (2 references) pkts bytes target prot opt in out source destination 120 6560 CNI-DN-2e01ef6200ee9e6547c06 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "f71f3b4be46e1b98cb1f4c3a8d9827e8f0ef11671142472c381947192cd9b790" */ multiport dports 2342 Chain CNI-HOSTPORT-MASQ (1 references) pkts bytes target prot opt in out source destination 3 180 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000 Chain CNI-HOSTPORT-SETMARK (2 references) pkts bytes target prot opt in out source destination 3 180 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- br-a1c181032ff0 * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- docker_gwbridge * 0.0.0.0/0 0.0.0.0/0 22 1428 RETURN all -- br-5e7e2b0ef60c * 0.0.0.0/0 0.0.0.0/0 14 972 RETURN all -- br-4ff5124ddf29 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.17.0.2:8000 0 0 DNAT tcp -- !br-5e7e2b0ef60c * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088 to:172.19.0.2:8088 0 0 DNAT tcp -- !br-5e7e2b0ef60c * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:172.19.0.2:6881 1 132 DNAT udp -- !br-5e7e2b0ef60c * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:172.19.0.2:6881 0 0 DNAT tcp -- !br-a1c181032ff0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8929 to:172.21.0.2:8929 0 0 DNAT tcp -- !br-a1c181032ff0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2224 to:172.21.0.2:22 31 1804 DNAT tcp -- !br-4ff5124ddf29 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19999 to:172.20.0.2:19999
Here is the output from iptables -nvL --table nat
-
Make sure you are not having the omv-extras.org Docker plugin activated (remove it).
There is a conflict between Docker and podman CNI networking.
Once Docker is installed and you reboot OMV then it breaks the podman based container networking.
-
-
There is a conflict between Docker and podman CNI networking.
Once Docker is installed and you reboot OMV then it breaks the podman based container networking.Seems to be an issue on your system, but not in general.
-
This broke on my system too, and removing docker that was installed through omv-extras seemed to fix it. (weirdly this wasn't a problem previously, I don't know what changed)
I also had a problem with cgroupv2 management which I fixed with
sudo apt-get install dbus-user-session uidmap
Before I did the above steps, I could access photoprism locally (eg with lynx or curl) but not on the network - after the above and a reboot, all was well.
Thanks
-
Make sure you are not having the omv-extras.org Docker plugin activated (remove it).
There is a conflict between Docker and podman CNI networking.
Once Docker is installed and you reboot OMV then it breaks the podman based container networking.
Hi!
But what can I do if I need both (Docker and PhotoPrism plugin)? How to make them work at the same time?
-
-
Hi!
But what can I do if I need both (Docker and PhotoPrism plugin)? How to make them work at the same time?
Shouldn't be a problem.
I run the wetty plugin (which is also podman) and all my other containers are run via docker. I don't use photoprism, but I can't imagine it is much different.
-
You can set up PhotoPrism from docker.
-
You can set up PhotoPrism from docker.
Yes. Thank you! I have already done it this way!
-
-
Hi,
I'm having the same issue (curl works on ssh, but not from outside the OMV6 server).
I cannot drop docker, as I'm already using it to run other stuff (wireguard, duckdns).
I assume I have no choice than going with docker for any app installed through plugin that fails in the same way?
-
I have this problem also. If the networking rules are the issue, is there away to work out what the bad rules are and fix them?
I have other things running in docker so am hoping to use Photoprism through the plugin. Everytime I try to do something in Docker I mess it up so hoping to stay clear of that.
How would one look at the networking rules to work out where it's not working?
EDIT!!!!!
I really don't know what I'm doing but I found a solution. Podman and docker are using the same subnet, but docker hijacks the subnet.
Easy way:
1. Make a firewall rule to allow port 2342 (through GUI)
2. Change the ipaddress range in /etc/cni/net.d/87-podman-ptp.conflist
3. Reboot
See the link for the proper way to do it. Note: choose a subnet away from what docker uses. I used 192.16.16.0/24
-
I have this problem also. If the networking rules are the issue, is there away to work out what the bad rules are and fix them?
I have other things running in docker so am hoping to use Photoprism through the plugin. Everytime I try to do something in Docker I mess it up so hoping to stay clear of that.
How would one look at the networking rules to work out where it's not working?
EDIT!!!!!
I really don't know what I'm doing but I found a solution. Podman and docker are using the same subnet, but docker hijacks the subnet.
Easy way:
1. Make a firewall rule to allow port 2342 (through GUI)
2. Change the ipaddress range in /etc/cni/net.d/87-podman-ptp.conflist
3. Reboot
See the link for the proper way to do it. Note: choose a subnet away from what docker uses. I used 192.16.16.0/24
The easy way worked for me so far.
Thanks a lot!
-
-
Yes. Thank you! I have already done it this way!
Can you share your docker compose file?
Participate now!
Don’t have an account yet? Register yourself now and be a part of our community!