Do not set host IP on ports when 0.0.0.0 requested

Docker and CNI have very different ideas of what 0.0.0.0 means.
Docker takes it to be 0.0.0.0/0 - that is, bind to every IPv4
address on the host. CNI (and, thus, root Podman) take it to mean
the literal IP 0.0.0.0. Instead, CNI interprets the empty string
("") as "bind to all IPs".

We could ask CNI to change, but given this is established
behavior, that's unlikely. Instead, let's just catch 0.0.0.0 and
turn it into "" when we parse ports.

Fixes #7014

Signed-off-by: Matthew Heon <mheon@redhat.com>

1 files changed, 8 insertions, 5 deletions

diff --git a/cmd/podman/common/util.go b/cmd/podman/common/util.go
index 41432c6f0..17e779c86 100644
--- a/cmd/podman/common/util.go
+++ b/cmd/podman/common/util.go
@@ -175,12 +175,15 @@ func parseSplitPort(hostIP, hostPort *string, ctrPort string, protocol *string)
 	if hostIP != nil {
 		if *hostIP == "" {
 			return newPort, errors.Errorf("must provide a non-empty container host IP to publish")
+		} else if *hostIP != "0.0.0.0" {
+			// If hostIP is 0.0.0.0, leave it unset - CNI treats
+			// 0.0.0.0 and empty differently, Docker does not.
+			testIP := net.ParseIP(*hostIP)
+			if testIP == nil {
+				return newPort, errors.Errorf("cannot parse %q as an IP address", *hostIP)
+			}
+			newPort.HostIP = testIP.String()
 		}
-		testIP := net.ParseIP(*hostIP)
-		if testIP == nil {
-			return newPort, errors.Errorf("cannot parse %q as an IP address", *hostIP)
-		}
-		newPort.HostIP = testIP.String()
 	}
 	if hostPort != nil {
 		if *hostPort == "" {