Improve handling of --publish and incompatible NetNS modes

Handling is improved by: - Inverting detection logic so all incompatible NetNS modes that can't be used with the `--publish` option will now print a warning to the user. - Updating the --publish documentation - Extract detection logic out to it's own function with a note to keep docs in sync. Note: path mode was added after this warning logic was added: - https://github.com/containers/podman/pull/8230 - https://github.com/containers/podman/pull/16386 Relates-to: https://github.com/containers/podman/issues/26663 Signed-off-by: Lewis Roy <lewis@redhat.com>
2026-02-05 06:45:31 +01:00 · 2025-07-21 08:50:07 +10:00
parent e6a439a5c6
commit 81d6d90195
3 changed files with 49 additions and 8 deletions
--- a/docs/source/markdown/options/publish.md
+++ b/docs/source/markdown/options/publish.md
@@ -22,5 +22,5 @@ If it is not, the container port is randomly assigned a port on the host.

 Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`.

-Note that the network drivers `macvlan` and `ipvlan` do not support port forwarding,
-therefore this option will have no effect on such networks.
+Port publishing is only supported for containers utilizing their own network namespace
+through `bridge` networks, or the `pasta` and `slirp4netns` network modes.
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -351,11 +351,13 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 		return warnings, err
 	}

-	// Warn on net=host/container/pod/none and port mappings.
-	if (s.NetNS.NSMode == specgen.Host || s.NetNS.NSMode == specgen.FromContainer ||
-		s.NetNS.NSMode == specgen.FromPod || s.NetNS.NSMode == specgen.NoNetwork) &&
-		len(s.PortMappings) > 0 {
-		warnings = append(warnings, "Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use")
+	// Warn if NetNS mode is not compatible with PorMappings
+	if len(s.PortMappings) > 0 {
+		nsMode := s.NetNS.NSMode
+		if nsMode != "" && !isPortMappingCompatibleNetNSMode(nsMode) {
+			warnings = append(warnings,
+				fmt.Sprintf("Port mappings have been discarded because \"%s\" network namespace mode does not support them", nsMode))
+		}
 	}

 	if len(s.ImageVolumeMode) == 0 {
@@ -624,3 +626,15 @@ func CheckName(rt *libpod.Runtime, n string, kind bool) string {
 	}
 	return n
 }
+
+// isPortMappingCompatibleNetNSMode validates if mode of the provided
+// Namespace mode is compatible with port mappings.
+// Note: Update `podman run --publish | -p` docs when modifying this function.
+func isPortMappingCompatibleNetNSMode(nsMode specgen.NamespaceMode) bool {
+	switch nsMode {
+	case specgen.Bridge, specgen.Slirp, specgen.Pasta:
+		return true
+	default:
+		return false
+	}
+}
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -751,11 +751,38 @@ json-file | f

    run_podman run --rm -p 8080 --net=host $IMAGE echo $rand
    is "${lines[0]}" \
-       "Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use" \
+       "Port mappings have been discarded because \"host\" network namespace mode does not support them" \
       "Warning is emitted before container output"
    is "${lines[1]}" "$rand" "Container runs successfully despite warning"
 }

+# bats test_tags=ci:parallel
+@test "podman run with --net=none and --port prints warning" {
+    rand=$(random_string 10)
+
+    run_podman run --rm -p 8080 --net=none $IMAGE echo $rand
+    is "${lines[0]}" \
+       "Port mappings have been discarded because \"none\" network namespace mode does not support them" \
+       "Warning is emitted before container output"
+    is "${lines[1]}" "$rand" "Container runs successfully despite warning"
+}
+
+# bats test_tags=ci:parallel
+@test "podman run with --net=container:id and --port prints warning" {
+    rand=$(random_string 10)
+
+    run_podman run -d --name=$rand $IMAGE top
+    cid=$output
+    run_podman run --rm -p 8080 --net=container:$cid $IMAGE echo $rand
+    is "${lines[0]}" \
+       "Port mappings have been discarded because \"container\" network namespace mode does not support them" \
+       "Warning is emitted before container output"
+    is "${lines[1]}" "$rand" "Container runs successfully despite warning"
+
+    # Cleanup
+    run_podman container rm -f -t0 $cid
+}
+
 # bats test_tags=ci:parallel
@test "podman run - check workdir" {
    # Workdirs specified via the CLI are not created on the root FS.