On 2/23/22 12:21, Paul Holzinger wrote:
[Note: you didn't send this to the list, I guess it's by accident, but
I'm answering in private just in case -- if it's really by accident,
I'll also answer on list ;)]
That was by accident, let me put this back into the list.
So, to recap, I guess the to-do list is:
- drop automatic port bindings (both ways) in default configuration
options passed by Podman
- drop also the loopback trick (by default)
- add option to bind ports to specific addresses, per-port
...anything else? I would wait a couple more days for any
additional feedback and then come back with the changes.
I think one big question would be packaging passt/pasta in distros. I
don't think it is a good user experience when users cannot get this
from the official repos.
Yes we would want this packaged up for at least Fedora to move forward.
Dan, Brent, Matt, Giuseppe WDYT?
On Wed, Feb 23, 2022 at 5:46 PM Stefano Brivio <sbrivio(a)redhat.com> wrote:
[Note: you didn't send this to the list, I guess it's by accident, but
I'm answering in private just in case -- if it's really by accident,
I'll also answer on list ;)]
On Wed, 23 Feb 2022 16:35:54 +0100
Paul Holzinger <pholzing(a)redhat.com> wrote:
> >
> > Perhaps it would be reasonable to make it non-default in the
options
> > passed by Podman ("-t none -u none" if no ports are passed),
and keep
> > it the default in pasta (it saves some typing).
>
> That would be fine, I don't care about the pasta default as long
as podman
> uses the secure option by default this is fine for me.
Okay, I'll change that in the patch (and in the demo).
> > Perhaps we could also allow restricting the amount of ports
(say, five)
> > that can be bound automatically. Would something like that
preferable as
> > default?
>
> I don't think this helps much, we should only add ports that were
> explicitly set with podman run -p ...
> A container should not be able to alter the host by default.
>
> > The interface isn't really shared, but yes, ports can be
directly bound
> > both ways.
>
> I see, I got confused because reverse mapping was working.
>
>
> Another question, does pasta support binding only a specific
host address?
> I only see the port:port syntax in the man page. In podman you
can do -p
> ipv4:port:port or [ipv6]:port:port.
Not explicitly: one can pass a host interface that's used to
source the
address -- by default, that's the interface with the first returned
least-specific route for IPv4, i.e. the default gateway, or for
IPv6 if
IPv4 is disabled/not available.
Addresses can also be overridden with "-a" (separately for IPv4
and IPv6) --
and the configured address will be used.
...but not with different per-port addresses. I can definitely add an
option for that.
Now, passt doesn't use dynamic memory allocation (for security
reasons), so
I'll need to move the binding routines to the command line
argument parsing
stage (ports are stored as bitmaps, I can't store an arbitrary
number of
addresses), but it's a quick change.
So, to recap, I guess the to-do list is:
- drop automatic port bindings (both ways) in default configuration
options passed by Podman
- drop also the loopback trick (by default)
- add option to bind ports to specific addresses, per-port
...anything else? I would wait a couple more days for any
additional feedback and then come back with the changes.
--
Stefano
_______________________________________________
Podman mailing list --podman(a)lists.podman.io
To unsubscribe send an email topodman-leave(a)lists.podman.io