Merge pull request #26664 from ninja-quokka/improve_--network_path_warning

Improve handling of --publish and incompatible NetNS modes

docs/source/markdown/options/publish.md

@@ -22,5 +22,5 @@ If it is not, the container port is randomly assigned a port on the host.
 
 Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`.
 
-Note that the network drivers `macvlan` and `ipvlan` do not support port forwarding,
-therefore this option will have no effect on such networks.
+Port publishing is only supported for containers utilizing their own network namespace
+through `bridge` networks, or the `pasta` and `slirp4netns` network modes.

pkg/specgen/generate/container.go

@@ -351,11 +351,13 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 		return warnings, err
 	}
 
-	// Warn on net=host/container/pod/none and port mappings.
-	if (s.NetNS.NSMode == specgen.Host || s.NetNS.NSMode == specgen.FromContainer ||
-		s.NetNS.NSMode == specgen.FromPod || s.NetNS.NSMode == specgen.NoNetwork) &&
-		len(s.PortMappings) > 0 {
-		warnings = append(warnings, "Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use")
+	// Warn if NetNS mode is not compatible with PorMappings
+	if len(s.PortMappings) > 0 {
+		nsMode := s.NetNS.NSMode
+		if nsMode != "" && !isPortMappingCompatibleNetNSMode(nsMode) {
+			warnings = append(warnings,
+				fmt.Sprintf("Port mappings have been discarded because \"%s\" network namespace mode does not support them", nsMode))
+		}
 	}
 
 	if len(s.ImageVolumeMode) == 0 {
@@ -624,3 +626,15 @@ func CheckName(rt *libpod.Runtime, n string, kind bool) string {
 	}
 	return n
 }
+
+// isPortMappingCompatibleNetNSMode validates if mode of the provided
+// Namespace mode is compatible with port mappings.
+// Note: Update `podman run --publish | -p` docs when modifying this function.
+func isPortMappingCompatibleNetNSMode(nsMode specgen.NamespaceMode) bool {
+	switch nsMode {
+	case specgen.Bridge, specgen.Slirp, specgen.Pasta:
+		return true
+	default:
+		return false
+	}
+}

test/system/030-run.bats

@@ -751,11 +751,38 @@ json-file | f
 
     run_podman run --rm -p 8080 --net=host $IMAGE echo $rand
     is "${lines[0]}" \
-       "Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use" \
+       "Port mappings have been discarded because \"host\" network namespace mode does not support them" \
        "Warning is emitted before container output"
     is "${lines[1]}" "$rand" "Container runs successfully despite warning"
 }
 
+# bats test_tags=ci:parallel
+@test "podman run with --net=none and --port prints warning" {
+    rand=$(random_string 10)
+
+    run_podman run --rm -p 8080 --net=none $IMAGE echo $rand
+    is "${lines[0]}" \
+       "Port mappings have been discarded because \"none\" network namespace mode does not support them" \
+       "Warning is emitted before container output"
+    is "${lines[1]}" "$rand" "Container runs successfully despite warning"
+}
+
+# bats test_tags=ci:parallel
+@test "podman run with --net=container:id and --port prints warning" {
+    rand=$(random_string 10)
+
+    run_podman run -d --name=$rand $IMAGE top
+    cid=$output
+    run_podman run --rm -p 8080 --net=container:$cid $IMAGE echo $rand
+    is "${lines[0]}" \
+       "Port mappings have been discarded because \"container\" network namespace mode does not support them" \
+       "Warning is emitted before container output"
+    is "${lines[1]}" "$rand" "Container runs successfully despite warning"
+
+    # Cleanup
+    run_podman container rm -f -t0 $cid
+}
+
 # bats test_tags=ci:parallel
 @test "podman run - check workdir" {
     # Workdirs specified via the CLI are not created on the root FS.