sudo nerdctl run -p <container port> <image> always defaults to 49153 host port.

[vsiravar]

Description

Running containers with -p/--publish option and using PortAllocate always results in host port being 49153. Used ports are mapped using /proc/net/tcp but 49153 does not show up in netstat -pltn(/proc/net/tcp).

Steps to reproduce the issue

# Run 2 containers with -p option. 
$ sudo nerdctl run -d --name my-nginx -p 80 nginx
59f081b2459bdb41bd2a0a024959b6627fa937d74d2d4775f4ab1803a253d76c
$  sudo nerdctl run -d --name my-httpd -p 80 httpd
b280792d4aa2554af45b5aaff7f26b019c8558fe48d8e8e698d62620b593d350

# Host port is always mapped to 49153
$ sudo nerdctl ps -a
CONTAINER ID    IMAGE                             COMMAND                   CREATED           STATUS    PORTS                    NAMES
59f081b2459b    docker.io/library/nginx:latest    "/docker-entrypoint.…"    35 seconds ago    Up        0.0.0.0:49153->80/tcp    my-nginx
b280792d4aa2    docker.io/library/httpd:latest    "httpd-foreground"        4 seconds ago     Up        0.0.0.0:49153->80/tcp    my-httpd

Both the containers have host port 49153.

$ curl localhost:49153
<html><body><h1>It works!</h1></body></html>

Don't have a way from host to reach my-nginx.

Describe the results you received and expected

Second command should choose a new free port in range from https://github.com/containerd/nerdctl/blob/main/pkg/portutil/port_allocate_linux.go#L27.

What version of nerdctl are you using?

main branch

Client:
 Version:	v1.3.0-4-g009000b.m
 OS/Arch:	linux/amd64
 Git commit:	009000b543849fe15bcea9f5cb2e6512aa85cffa
 buildctl:
  Version:	v0.11.3
  GitCommit:	4ddee42a32aac4cd33bf9c2be4c87c2ffd34747b

Server:
 containerd:
  Version:	v1.6.19
  GitCommit:	1e1ea6e986c6c86565bc33d52e34b81b3e2bc71f
 runc:
  Version:	1.1.4
  GitCommit:	v1.1.4-0-g5fd4c4d1

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Lima

Host information

$ nerdctl info
Client:
Namespace: default
Debug Mode: false

Server:
Server Version: v1.6.19
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Log: fluentd journald json-file syslog
Storage: native overlayfs stargz fuse-overlayfs
Security Options:
apparmor
seccomp
Profile: default
cgroupns
rootless
Kernel Version: 5.19.0-31-generic
Operating System: Ubuntu 22.10
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.825GiB
Name: lima-default
ID: a15f321f-02a0-4f16-a8c4-3250e344ab38

WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

[vsiravar]

Not an expert by any means but should we identify free ports based on iptables rather than /proc/net/tcp as used here. Maybe completely off but happy to PR it.
Side note: Is there a check for used ports when -p <hostport>:<cotainerport> is specified?

[AkihiroSuda]

iptables

SGTM.
As a workaround we can just choose a random port.