[Rootless] Access containers via IP outside of namespace

[thomascft]

I'm working on a project where I'd like containers to be directly accessible via IP from the host. This works in the privileged daemon, but with rootless it's only accessible via the rootlesskit namespace. I assume this has to do with rootlesskit's default networking setup and I'd like to change this if possible. I'm binding the containers to 10.0.10.0/24 in the bogon space and everything is being managed via compose. Would anyone have an Idea on how to resolve this?

[fahedouch]

I'm working on a project where I'd like containers to be directly accessible via IP from the host

unprivileged user cannot manage the host network stack. for this reason we pass through rootlesskit namespace ( slirp4netns) to go outside.

to acheive this, a workaroud is to nsenter into the container namespace from host and then access container using the container ip :

get container pid:

rootless@26bdbd470ef7:/go/src/github.com/containerd/nerdctl/Dockerfile.d$ nerdctl ps
CONTAINER ID    IMAGE                              COMMAND             CREATED           STATUS    PORTS    NAMES
e36b69bd82c8    docker.io/library/alpine:latest    "sleep infinity"    19 minutes ago    Up                 alpine-e36b6


 rootless@26bdbd470ef7:/go/src/github.com/containerd/nerdctl/Dockerfile.d$ nerdctl inspect -f '{{.State.Pid}}' e36b69bd82c8
1308

get container IP:

  rootless@26bdbd470ef7:/go/src/github.com/containerd/nerdctl/Dockerfile.d$ nerdctl inspect -f '{{.NetworkSettings.IPAddress}}' e36b69bd82c8 
10.4.0.2

from host, nsenter container network ns :

rootless@26bdbd470ef7:/go/src/github.com/containerd/nerdctl/Dockerfile.d$ sudo nsenter -n -t 1308 -- ping 10.4.0.2