Allowing rootless containers to be binded to a specific IP

[Diniboy1123]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

By the nature of POSIX it's impossible to bind an application to a specific interface as far as I know, especially if one user doesn't have root. Though it should be possible to send the container traffic to a specific IP address.

In my case the goal would be to have all the container traffic sent thru a wg0 wireguard VPN interface that always gets the same static IP and can be used without root by tools like curl simply. Assuming it would just work fine by redirecting slirp4netns traffic there. But I couldn't find an option for that.

Steps to reproduce the issue:

Not relevant by the nature of the FR.

Describe the results you received:

Not relevant by the nature of the FR.

Describe the results you expected:

Not relevant by the nature of the FR.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Any should be fine.

Output of podman info --debug:

Package info (e.g. output of rpm -q podman or apt list podman):

Additional environment details (AWS, VirtualBox, physical, etc.): Physical host machine running Fedora 31.

[5eraph]

Hi, I was working on this rootless-containers/slirp4netns#200 and it should be included in slirp4netns v1.1.0.

Although we will have to integrate some way with libpod and I am not sure how. slirp4netns options are currently not directly exposed - libpod rather calls preferred options on its own.

We need to expose slirp4netns in non intrusive way and possibly even expose iptables POSTROUTE to provide this feature for non rootless containers as well.

I assume we could extend ContainerNetworkConfig to hold outbound addresses and expose them through flags. But I am not sure whether it is braking change considering standards libpod follows.

I would like to hear some thoughts and suggestions from contributors.

[mheon]

I think we're at the point of needing an extra flag on podman run for extra network configuration, as seen by the PR to switch rootless port forwarding backend from @aleks-mariusz - a podman run --network-opt KEY=VALUE might be appropriate here, to pass general network configuration into the container without further polluting the incredibly complicated parsing of --network

[rhatdan]

Yes I agree this calls for another option.

[5eraph]

Great thanks, I like podman run --network-opt KEY=VALUE. I will look into exposing outbound addresses like that. (assuming other options may be ported over time as necessary)

I will wait for merge of #6025.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@5eraph We are ready to merge those PRs with a simple fix, but we need action by the creator of the PR.

[5eraph]

Hi @rhatdan, sorry for late response, I have super busy summer. I will try to look into this in august, although no promises. 😟