The services running in the container do 2 things that can affect running a container as a non-privileged user with host networking:
- reserved ports are used
- wildcard bind addresses are allowed
The latter allows for IPv6 addresses, which may be unexpected too in terms of firewalls.
Specifically, the internal Alertmanager binds to a wildcard, IPv6 address:
web.listen-address=: vs web.listen-address=127.0.0.1: etc
Update Prometheus and Alertmanager addresses in https://github.com/percona/pmm-managed/blob/PMM-2.0/services/supervisord/supervisord.go to 127.0.0.1
After that change, Prometheus and internal Alertmanager (including STT features) should work as before.