Why are ports handled differently between rootless and rootful mode

[vsiravar]

Hi all,
I am new to nerdctl and containers in general.
I noticed a difference in behavior between rootful and rootless mode in the way ports are exposed in nerdctl run --publish hostport:containerport"command
In rootless mode I can connect to the listening socket even when there is no server running on a container port.

For example:

nerdctl run -d -p 10009:80 alpine sleep infinity 
netstat -an | grep 10009
tcp4       0      0  127.0.0.1.10009        *.*                    LISTEN  

# on the host
nc -v localhost 10009
Connection to localhost port 10009 [tcp/swdtp-sv] succeeded!

However in rootful mode, the socket is not exposed and I can't connect to it from a client.

I traced the code to

nerdctl/pkg/ocihook/ocihook.go

Line 436 in cffdf87

if err := pm.ExposePort(ctx, p); err != nil {

where in rootless mode the ports are exposed before the container is run, why is this not done in rootful mode? Any links to code or knowledge sharing is greatly appreciated. Thanks!

[ningziwen]

Different namespace has their own uid set. Rootless basically create a child namespace and maps the uid 0 (root super user for linux) in the child namespace to the normal uid in parent namespace, which creates a fake root user.

From the comment, pm.ExposePort(ctx, p) maps the hostport in parent namespace to child namespace. Rootful doesn't need this because it doesn't need an additional child namespace to create the fake root user. So this line is not the port forwarding between host port and container port. it is just an adiditional step required by rootless but not rootful.