Background
System is running a rootless container based upon the docker.io/rocker/shiny-verse:latest image that publishes a port (say 8000) for remote web connections (to access the shiny ui). The shiny server running within the container requires access to a database running on a remote host. The local host on which the container runs uses a SSH tunnel (outside the container) to wrap the database connection from the local host to the remote database server. Basic steps to reproduce (less credentials):
$ # In host environment (logged in as unprivileged account that runs rootless container)...
$ ssh -fvNx -L 5432:localhost:5432 dbuser@dbserver
$ psql -h 127.0.0.1 -p 5432 ... # Able to connect to database from host environment (using non-privileged account that runs the rootless container)
$ Rscript -e ‘x <- pool::dbPool(drv = RPostgreSQL::PostgreSQL(), ....)’ # Command succeeds
$ podman run —rm -it —publish 8000:8000 —expose 5432 —entrypoint ‘[“R”]’ docker.io/rocker/shiny-verse:latest
> # Within container interactive R session...
> x <- pool::dbPool(drv = RPostgreSQL::PostgreSQL(), ....)
> # Error in postgresqlNewConnection(drv, ...):
> # RS-DBI driver ... could not connect ... Is the server running ... and accepting connections ...
Question
Since I cannot (or I don’t think I can) publish port 5432 when running podman run ... (as the port already bound by the SSH tunnel running on the host), how can I run the container image such that I can use the SSH tunnel established on the host from within the container to access the remote database?
Other Thoughts
- Nothing in logs indicate firewall packet rejection (and no SELinux denials)
- Prefer to find a solution that does not involve mangling network packets
- While using the
—network=hostoption topodman runsolves the issue, it appears too permissive to retain some important security benefits of rootless containers
Environment
podman 1.9.2
Fedora 32 (5.6.14-300.fc32.x96_64)
R 4.0.0
OpenSSH_8.2p1
OpenSSL 1.1.1g
