Description
/kind feature
Description
Right now we can publish a container’s port, or range of ports, to the host using podman create … --publish [ip:][hostPort:]containerPort … (et. al.). Even though we can indeed bind to a single IP address, we can't limit the binding to a single interface (using SO_BINDTODEVICE, see socket(7)). I suggest adding an option to support this, e.g. --publish [ip:][hostPort:]containerPort[@interface].
Reasoning
Binding to an interface is used to limit the listener's scope to a single network interface, which can get quite important in VLAN setups. As we all know, this is different to listening to a single IP address which can, in fact, be used on multiple network interfaces at the same time.
However, personally I have another use case in mind: To better utilize 0.0.0.0 resp. ::. If I try publishing port 53 of a container running a DNS server, it will fail with a "bind: address already in use" error. This is expected behaviour, because Podman's dnsname plugin will start an Dnsmasq instance listening on 0.0.0.0:53, limited to the virtual network interface. Thus we can't bind to 0.0.0.0 on all network interface, simply because the address is indeed partially in use by Podman's Dnsmasq. However, this doesn't have to be: If we could tell Podman to limit binding to a single interface using SO_BINDTODEVICE, we could indeed publish the container's port to 0.0.0.0:53, just limited to another device, e.g. enp1s0. The option could be used like podman create … --publish 53:53@enp1s0 ….
Side note
Isn't the documentation lacking info about limiting the protocol with edit: Fixed in #14451--publish ip:hostPort:containerPort/protocol, e.g. 80:80/tcp?
Activity