cockpit-podman
cockpit-podman copied to clipboard
cockpit-project
host networking support
It would be nice to be able to specify that a container should be run with host networking instead of having to map ports. This is necessary for things like Plex, Minecraft, etc., which need to do UDP broadcasts for network discoverability as well as opening extra ports on demand.
Could you specify how this would be done on command line?
podman run -d --network=host some_image_name
This way container uses host's ports directly.
I would suggest when using a rootless user container to follow the official docs as they provide safer methods.
(This requires the crun runtime along with the other dependencies mentioned.)
If you don't care about networking multiple containers you can use the loopback method:
podman run -d --network=slirp4netns:allow_host_loopback=true examplepod
podman run -d --network=slirp4netns:allow_host_loopback=true examplepod
If you have multiple rootless containers you'd want in their own LAN you'd use one of the two port_handler arguments.
Using rootlesskit option is similar to a network bridge or tap which requires root or host networking permissions.
podman run -d --network=slirp4netns:port_handler=rootlesskit examplepod
The slirp4netns option itself doesn't require anything beyond user permission but has some drawbacks in performance, and unable to use custom namespaces in while handling ports.
podman run -d --network=slirp4netns:port_handler=slirp4netns examplepod
Edit:
I wanted to reference more in depth the caution that should be taken when using the host network method.
Podman documentation also notes that rootless containers using the host network have access to other host system ports.
My following request might be a duplicate of this one, yet it is a bit enhanced: I would like to integrate the whole network management possibility to cockpit-podman. https://docs.podman.io/en/latest/markdown/podman-network.1.html I am specifically interested in connecting to certain networks using a specific IP. Probably even create Networks like IP Vlans: https://docs.docker.com/network/ipvlan/
@2relativ: I think that's quite different from this issue.
At first glance is similar to how cockpit-machines handles networking, but I have not yet had my daily dose of coffee this morning, so I might be wrong. :wink:
In other words, the way I understand it (at the moment), we'd need:
- a network section somewhere (Cockpit-Machines has this as a card at the top, with a sub-page)
- with creation
- and management of networks
- and a way to select networks in container creation
- and also a way to select the networks in pod creation
This would really need a separate issue filed. That's a lot more work and it's quite different from this even though they're both networking and podman container related.
As for this particular issue, we'd probably want to add something to the integration tab of the container create modal dialog, likely a switch of some sort between port mapping and direct host networking.
However, with direct host networking, there are caveats, right?
- only for rootless containers
- can only use unprivileged ports (1024 and above)
- What happens when the software in the container tries to access a privileged port? Does it just fail or is it auto-mapped somehow? I'm thinking of port 80 or 22 specifically (but anything lower than 1024 could have this issue).
- performance penalty (mentioned above)
- weakened security (also mentioned above)
We would have to message items 2 - 4. And only show the option for rootless containers.
It could be something like:
○ Port mapping ● Host mode 🛈
And the 🛈 would have a popover with the explanation with some polished-up text stating when you'd use this and the above issues.