Wrong host ports are generated (the port number is always 49153)

[zhan9san]

Description

The nerdctl will always use tcp port 49153 as a random port if hostport is not set when using -p/--publish flag.

Multiple rule will be created in iptable nat tables as well

sudo iptables -nvL -t nat

Steps to reproduce the issue

Multiple containers

x@build-ubuntu-01:~$ sudo nerdctl run --cni-path=/opt/cni/bin -d -p 80 --name nginx-1 nginx
90de08eaa44da1b62dc1495f8fd1ef0b35e1657d63d5e08032ac71452e5b12a4
x@build-ubuntu-01:~$ sudo nerdctl run --cni-path=/opt/cni/bin -d -p 80 --name nginx-2 nginx
2adc259619176c4f2794ddc6dfde3c9d2c45e74b75c6a5a1bab0e73ab8e6920f
x@build-ubuntu-01:~$ sudo nerdctl port nginx-1
80/tcp -> 0.0.0.0:49153
x@build-ubuntu-01:~$ sudo nerdctl port nginx-2
80/tcp -> 0.0.0.0:49153

One container with multiple ports

x@build-ubuntu-01:~$ sudo nerdctl run --cni-path=/opt/cni/bin -d -p 80,81 --name nginx-3 nginx
ab075107d48ed3d54d08935351156c5b8880799112be5bb6a651e0e8e3fb6b54
x@build-ubuntu-01:~$ sudo nerdctl port nginx-3
80/tcp -> 0.0.0.0:49153
81/tcp -> 0.0.0.0:49153

compose

If multiple ports are defined without host ports in compose file, the same issue will occur.

Describe the results you received and expected

The auto-generated ports are available.

What version of nerdctl are you using?

$ nerdctl --version
nerdctl version 1.0.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

No response

Host information

$ sudo nerdctl info
Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: 1.4.12
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: aufs native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-90-generic
 Operating System: Ubuntu 20.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.39GiB
 Name: build-ubuntu-01
 ID: a2c61eb4-be6e-45d9-ba8e-a9933e17bf9a

WARNING: No swap limit support

[zhan9san]

Could you plz assign this issue to me?

I am glad to fix it.

[zhan9san]

@Zheaoli

Do we need to make allocation on server side(containerd) instead of client side(nerdctl)?

I read some code snippet in docker(moby)/docker cli and find that if the hostport is not set(e.g. 127.0.0.1::80) in client side, it will be left as it is, and passed to server side, finally, docker daemon will allocate the random ports.

Reference:

no allocation in docker cli:

https://github.com/docker/cli/blob/de52868abb7512c4b73e8e080c231fb0b424a573/vendor/github.com/docker/go-connections/nat/nat.go#L178-L214

allocation in moby
https://github.com/moby/moby/blob/8bb58153e75b4310f3ae9ec6d03924aa286fbf20/libnetwork/drivers/bridge/port_mapping.go#L156-L167

Set hostport to 0 in podman and make allocation on the server side of Specgen

https://github.com/containers/podman/blob/d2024163021b369b6fcbc98ceedf940212d9f2f1/pkg/specgenutil/util.go#L192-L205

---

If we make allocation on server side,

PROS

Other containerd client will support random ports feature as well.

CONS

It will make containerd more complicated if it acts as a kubernetes container runtime.

It is useless because ports.hostIP is informational only.

https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#ports

[AkihiroSuda]

Server-side implementation will take a time to reach consensus, so this should be on the client side