podman expose ports from pod

Created on 25 Jun 2020 · 12Comments · Source: containers/podman

/kind bug
/kind feature

Description

I need to run sourcegraph on a local repo. For that I need to run https://hub.docker.com/r/sourcegraph/src-expose and then point https://hub.docker.com/r/sourcegraph/server to it.

Because I don't remember all the right settings to make one container access another, I decided to create them in the pod. However, it doesn't work.

I create pod with all ports exposed to host for manual inspect

✗ podman pod create --name srcview -p 127.0.0.1:3434:3434 -p 127.0.0.1:7080:7080 -p 127.0.0.1:3370:3370                               
4b2f4611fa2cbd60b3899b936368c2b3f4f0f68bc8e6593416e0ab8ecb0a3f1d

But when I try to run a container with exposed ports inside, the podman fails.

✗ podman run --pod srcview --name src-expose -p 3434:3434 -v "${PWD}:/var/opt/localrepo":Z,ro sourcegraph/src-expose:latest serve /var/opt/localrepo
Error: cannot set port bindings on an existing container network namespace

Output of podman version:

Version:            1.9.3
RemoteAPI Version:  1
Go Version:         go1.14.2
OS/Arch:            linux/amd64

Output of podman info --debug:

(paste your output here)

kinbug stale-issue

Source

abitrolly

All 12 comments

All containers in the pod share its network namespace, and thus ports forwarded to it. We need to improve the documentation for this.

mheon on 25 Jun 2020

That is to say, generally speaking - if you have port 3434 forwarded to the pod, all containers in the pod can use port 3434, since they are all sharing a network stack. You do not need to add the port binding to individual containers in the pod.

Pod network stacks act like the network stack on the host - you have a variety of containers in the pod, and programs in the container, all sharing a single interface and IP address, and associated ports. If one container binds to a port, no other container can use that port within the pod while it is in use. Containers in the pod can also communicate over localhost by having one container bind to localhost in the pod, and another connect to that port.

mheon on 25 Jun 2020

👍1

I can confirm this makes container in the pod accessible by http://127.0.0.1:3434/ from the host.

podman pod create --name srcview -p 127.0.0.1:3434:3434 -p 127.0.0.1:7080:7080 -p 127.0.0.1:3370:3370
podman run --pod srcview --name src-expose -v "${PWD}:/var/opt/localrepo":Z,ro sourcegraph/src-expose:latest serve /var/opt/localrepo

No need to expose ports with run command. That's nice.

There are still a lot of error, but that's a problem of src-expose binary.

abitrolly on 25 Jun 2020

@abitrolly @mheon Could one of you update the podman pod create/run man page with documentation similar to what @mheon wrote above?

rhatdan on 29 Jun 2020

@rhatdan there are still magical bugs occurring to me with this. Sometimes the new container just could not bind, or not appearing on the host. I didn't have time to debug to report it properly. Maybe an improved message about why binding failed including the id and name of a container occupying the port would help to better understand what's going on in the middle of a crisis.

podman ps -a also shows this dangling container in the misbehaving pod.

$ podman ps -a
CONTAINER ID  IMAGE                 COMMAND  CREATED     STATUS         PORTS                     NAMES
b7b0edf50334  k8s.gcr.io/pause:3.2           3 days ago  Up 3 days ago  127.0.0.1:3370->3370/tcp  88317e5200ee-infra

I also need to see the name of the pod in the output.

abitrolly on 29 Jun 2020

adding -p to the ps command will include pod names when applicable