podman: Port rebinding not working properly for rootless containers within pods?

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Rootless podman doesn’t seem to be able to respect --publish parameter on containers associated with rootless pods.

Steps to reproduce the issue:

Create a rootless pod with podman pod create
Create a new container with podman create, rebinding an existing port, for example --publish 5000:3000.
Other containers in that pod will not be able to access that container at localhost:5000. If the publish flag is omitted, they are available at localhost:3000 for other containers in the pod as you would expect.

Describe the results you received: Containers in a rootless pod could not connect to other containers at either the original port or the remapped port specified in the --publish hostport:containerport argument.

Describe the results you expected: Rootless containers sharing the same pod could have their ports remapped within the context of that pod. This makes it useful when dealing with existing docker images that listen on say, port 80, so that one can rebind them within the pod to a higher port. Currently this only works when they are not in a pod.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.0.3
API Version:  1
Go Version:   go1.14.3
Built:        Wed Dec 31 16:00:00 1969
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.19-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.19, commit: 5dce9767526ed27f177a8fa3f281889ad509fea7'
  cpus: 24
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.7.10-201.fc32.x86_64
  linkmode: dynamic
  memFree: 3707359232
  memTotal: 33604173824
  ociRuntime:
    name: crun
    package: crun-0.14.1-1.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14.1
      commit: 598ea5e192ca12d4f6378217d3ab1415efeddefa
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 8109944832
  swapTotal: 8589930496
  uptime: 55h 55m 9.62s (Approximately 2.29 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/andrew/.config/containers/storage.conf
  containerStore:
    number: 15
    paused: 0
    running: 14
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /home/andrew/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 41
  runRoot: /run/user/1000/containers
  volumePath: /home/andrew/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Wed Dec 31 16:00:00 1969
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.0.3```

**Package info (e.g. output of `rpm -q podman` or `apt list podman`):**

podman-2.0.3-1.fc32.x86_64


**Additional environment details (AWS, VirtualBox, physical, etc.):**

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 18 (10 by maintainers)

Most upvoted comments

Is there no planned way to remap ports within the context of a pod? This seems like a really necessary feature for containers that weren’t necessarily already intended to be in the same “port namespace”. Otherwise good luck trying to easily use containers like Organizr in the same pod as other containers that contain some kind of PHP web service like Heimdall because they will always conflict on the default port, and changing the default port sometimes requires direct image edits and rebuilds. Podman needs to provide a better way, within the scope of pods.

andrew-kennedy on Sep 1, 2020

Right, so I know that only one container can be bound to any one port inside the pod. What I want is for podman to let me “override” the ports the container image “ships with” with my own ports. Many distinct PHP based docker image services by default all bind to the same ports, because they expect you to be using them in a context where you always use the --publish flag and can thus ensure no port binding collision on the host. I want a way to avoid port binding collision in pods regardless of the images I run, without changing those images. Currently there seems to be no simple way to do this.

andrew-kennedy on Aug 1, 2020