podman: adding dynamic port binding using slirp4netns API socket

[muayyad-alsadi]

I'm using podman version 1.1.0, and I'm writing a python script to run docker-compose.yml by creating a pod and launching containers inside it and connect them via --add-host

the following did not work

[alsadi@laptop ~]$ podman pod create --name=mypod
e322ef871af53914b36679362eec7e06ef6c6d6d9b46d5ca908df338ae8db0c4
[alsadi@laptop ~]$ podman run --pod=mypod -p 8080:80 -d busybox busybox httpd -f -p 80
Error: cannot set port bindings on an existing container network namespace

on the other hand the following works fine

[alsadi@laptop ~]$ podman run -p 8080:80 -d busybox busybox httpd -f -p 80

I found the following workaround

[alsadi@laptop ~]$ podman pod create -p 8080:80 -p 6379:6379 --name=mypod2
[alsadi@laptop ~]$ podman run --name=myhttpd --pod=mypod2 -d busybox busybox httpd -f -p 80
[alsadi@laptop ~]$ podman run --name=myredis --pod=mypod2 -d redis:alpine
[alsadi@laptop ~]$ podman exec -ti myhttpd sh -c 'echo "info" | nc localhost 6379'

[tobwen]

Sorry, I can't help you on this, but could you share your Python script? This might be interesting to a huge amount of users. I didn't find it in your repository :(

Update, I can verify this (and the workaround) for this built

Version:            1.2.0-dev
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         9adcda73892fa0a33cbdf971ad97cf079e8e425f
Built:              Sun Mar  3 04:03:51 2019
OS/Arch:            linux/amd64

[mheon]

I don't know if we want to do this dynamically (it might work for rootless, but wouldn't work when running as root, and I'd prefer not to let the two diverge too much), so I would prefer to make this require a pod restart (to pick up requested port mappings from other containers in the pod) - would that be unacceptable?

[giuseppe]

@mheon yes I agree. We could probably do it for slirp4netns by contacting the socket API but I don't think it is a good idea to diverge from other kind of networks.

[muayyad-alsadi]

Sorry, I can't help you on this, but could you share your Python script?

sure, here it's: muayyad-alsadi/podman-compose.

I don't know if we want to do this dynamically

we can publish ports per container or per pod, I have too modes, I only need one of them to work
currently both do not work, because I can't --add-host per pod and I can't do -p per container.

[giuseppe]

what I did as rootless is:

$ podman pod create -p  8080 -n foo
$ podman run --pod foo alpine nc -l -p 8080

and it works, I could connect to the port assigned to the pod.

Doesn't that work for you?

[muayyad-alsadi]

@giuseppe we need to run multiple containers on same pod, let's say two containers one is busybox
's "httpd -f -p 8080" and the other one is redis:alpine

what I want is to be able to call redis from inside busybox and busybox from redis (inter-container communication), and I need aliases in /etc/hosts for them
for example inside the busybox

echo "info" | nc redis 6379

and from inside redis, let's call busybox

wget http://myweb:8080/

[muayyad-alsadi]

@giuseppe please note it seems that the default in podman pod create is to share network with host

$ podman pod create --help
...
      --share string           A comma delimited list of kernel namespaces the pod will share 
                                      (default "cgroup,ipc,net,uts")

[mheon]

That's indicating containers in the pod will share a network namespace with each other, not with the host.

…

On Tue, Mar 5, 2019, 05:36 Muayyad Alsadi ***@***.***> wrote: @giuseppe <https://github.com/giuseppe> please note it seems that the default in podman pod create is to share network with host $ podman pod create --help ... --share string A comma delimited list of kernel namespaces the pod will share (default "cgroup,ipc,net,uts") — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2503 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHYHCM808ZT9PXlwXIF-kIJundH-Qvdwks5vTki8gaJpZM4ba_X0> .

[giuseppe]

@giuseppe we need to run multiple containers on same pod, let's say two containers one is busybox
's "httpd -f -p 8080" and the other one is redis:alpine

what I want is to be able to call redis from inside busybox and busybox from redis (inter-container communication), and I need aliases in /etc/hosts for them
for example inside the busybox

echo "info" | nc redis 6379

and from inside redis, let's call busybox

wget http://myweb:8080/

they share the same network namespace, doesn't 127.0.0.1:8080 work?

[mheon]

More than that - they're sharing a network namespace, so they all share a single IP. There's no need for hosts entries?

[muayyad-alsadi]

yes, but I want to run docker-compose.yml unmodified and containers expect to talk via service alias, I added an alias for service that points to 127.0.0.1 please see my other ticket #2504 for details.

[muayyad-alsadi]

That's indicating containers in the pod will share a network namespace with each other, not with the host.

I tried both the defaults and many combinations and nothing worked.

[tobwen]

@muayyad-alsadi Did you have success on this in the meanwhile?

[muayyad-alsadi]

yes, I've two working ways, one of them 1podfw which passes -p to podman pod create

the other working one is cntnet

https://github.com/muayyad-alsadi/podman-compose

[tobwen]

@muayyad-alsadi Very nice, I'll test them soon!

[rhatdan]

@tobwen @muayyad-alsadi What is the latest on this. Can I close this issue?

[muayyad-alsadi]

@rhatdan I don't know, In podman-compose, I'm using podman pod create -p 80:8080 -p ... all at once, instead of per-containers -p.

[rhatdan]

@giuseppe @AkihiroSuda WDYT?

[giuseppe]

I think we can close the issue. Dynamic port binding is out of the scope for Podman (even if it is possible in slirp4netns)