[Just for the records, original email sent to Paul, also missing in
On Wed, 23 Feb 2022 16:35:54 +0100
Paul Holzinger <pholzing(a)redhat.com> wrote:
> Perhaps it would be reasonable to make it non-default in the options
> passed by Podman ("-t none -u none" if no ports are passed), and keep
> it the default in pasta (it saves some typing).
That would be fine, I don't care about the pasta default as long as podman
uses the secure option by default this is fine for me.
Okay, I'll change that in the patch (and in the demo).
> Perhaps we could also allow restricting the amount of ports
> that can be bound automatically. Would something like that preferable as
I don't think this helps much, we should only add ports that were
explicitly set with podman run -p ...
A container should not be able to alter the host by default.
> The interface isn't really shared, but yes, ports can be directly bound
> both ways.
I see, I got confused because reverse mapping was working.
Another question, does pasta support binding only a specific host address?
I only see the port:port syntax in the man page. In podman you can do -p
ipv4:port:port or [ipv6]:port:port.
Not explicitly: one can pass a host interface that's used to source the
address -- by default, that's the interface with the first returned
least-specific route for IPv4, i.e. the default gateway, or for IPv6 if
IPv4 is disabled/not available.
Addresses can also be overridden with "-a" (separately for IPv4 and
IPv6) -- and the configured address will be used.
...but not with different per-port addresses. I can definitely add an
option for that.
Now, passt doesn't use dynamic memory allocation (for security
reasons), so I'll need to move the binding routines to the command line
argument parsing stage (ports are stored as bitmaps, I can't store an
arbitrary number of addresses), but it's a quick change.
So, to recap, I guess the to-do list is:
- drop automatic port bindings (both ways) in default configuration
options passed by Podman
- drop also the loopback trick (by default)
- add option to bind ports to specific addresses, per-port
...anything else? I would wait a couple more days for any
additional feedback and then come back with the changes.