Regression, in v2.1.3 unable to bind containers on different IPs to same ports

[figaw]

Description

Using version 2.1.3 of nerdctl, it incorrectly checks for conflicting ports when starting containers.

Using versions:

containerd_version: "2.1.6"
runc_version: "1.3.4"
cni_version: "1.9.0"
nerdctl_version: "2.1.2"

I'm successfully able to execute (and access) the following compose spec:

services:
  nginx-primary:
    image: nginx:latest
    container_name: nginx_primary
    ports:
      - "192.168.1.141:80:80"
      - "192.168.1.142:80:80"
    restart: always

  nginx-sec:
    image: nginx:latest
    container_name: nginx_sec
    ports:
      - "192.168.1.143:80:80"
    restart: always

But any version later than 2.1.2, (even the latest 2.1.6, or 2.2.1) fails.

---

NB: I tested with all sorts of different combinations of containerd versions, runc versions, CNI plugin versions. But whenever I make the change to 2.1.3 or later, it begins to fail.

Steps to reproduce the issue

1. Update nerdctl to version 2.1.3
2. Attempt to start multiple containers, binding to different IPs but on the same port
3. The "second" container is not allowed to start

Describe the results you received and expected

INFO[0000] Creating network test_default
INFO[0000] Ensuring image nginx:latest
INFO[0000] Ensuring image nginx:latest
INFO[0000] Creating container nginx_sec
INFO[0000] Running [/usr/local/bin/nerdctl run --cidfile=/tmp/compose-539193217/cid -l=com.docker.compose.project=test -l=com.docker.compose.service=nginx-sec -d --name=nginx_sec --pull=never --net=test_default --hostname=nginx-sec -p=192.168.1.143:80:80/tcp --restart=always nginx:latest]
FATA[0000] failed to load networking flags: bind for 192.168.1.143:80 failed: port is already allocated
FATA[0000] error while creating container nginx_sec: error while creating container nginx_sec: exit status 1

I expect the containers to just start.

What version of nerdctl are you using?

Any version later than 2.1.2. 2.1.3 or even the latest 2.1.6, or 2.2.1.

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: v2.1.6
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Log:     fluentd journald json-file none syslog
  Storage: native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version:   6.8.0-101-generic
 Operating System: Ubuntu 24.04.4 LTS
 OSType:           linux
 Architecture:     x86_64
 CPUs:             16
 Total Memory:     62.52GiB
 Name:             ...
 ID:               ...

[Shubhranshu153]

The Commit #4097 ("Check if port is used in publish flag") added a pre-flight port conflict check in ParseFlagP() that calls getUsedPorts(). This function reads the CNI-HOSTPORT-DNAT iptables chain to find used ports, but that chain only contains port numbers not which IP they're bound to.

Working on a fix for it.