Rootless Podman can not create containers that bind to privileged (< 1024) ports

[Nick-Wunderdog]

I do not mean exposing to privileged port on host, which is expected behavior. But rootless podman (host) can not start a service inside container in privileged port. See: https://github.com/containers/podman/blob/main/rootless.md

In my opinion and for our customer this is a bug which makes podman critically broken and it makes podman unsuitable for production use. I am a big fan of podman, and I am saying this to help Podman replace Docker as most popular container, please:

1. Prioritize and fix this bug.
2. NEVER try just try to explain and excuse bug as it being a "feature" (of slirp4netns/systemd) . That is what Microsoft does: calls a critical bug a "Feature". If this is "how slirp4netns works", then it is a mistake and a bug for podman to use slirp4netns. So either fork version of slirp4netns alter it to work correctly with Podman or replace slirp4netns with something that does.

There are several tickets that are side effects of this bug. So I made this to try to focus the attention to this root cause. Related tickets:

149

https://github.com/containers/podman/issues/3212

[AkihiroSuda]

I do not mean exposing to privileged port on host, which is expected behavior. But rootless podman (host) can not start a service inside container in privileged port.

What do you mean?

[andryyy]

I came across this report and have to say… that’s the worst and most disgusting issue I have read in a while. Get yourself together.

[rhatdan]

Issue should be closed, This is a security feature of Linux and can not be overcome via user space, without opening up potentially security issues.