common: add support for default_host_ip in containers.conf

This adds support for configuring a default host IP via containers.conf
to bind published container ports to when no host IP is explicitly
specified (e.g. -p 8000:8000). Note that explicit host IP still overrides the
default option set in containers.conf.

Refers containers/podman#27186

Signed-off-by: Danish Prakash <[email protected]>

Author: danishprakash

common/docs/containers.conf.5.md

@@ -525,6 +525,15 @@ run on the machine.
 A list of default pasta options that should be used running pasta.
 It accepts the pasta cli options, see pasta(1) for the full list of options.
 
+**default_host_ip**=""
+
+The default host IP address to bind published container ports to when no host IP
+is explicitly specified (e.g., `-p 8000:8000`). If empty, the default behavior is to
+bind to all network interfaces (`0.0.0.0`). For instance, setting this to `127.0.0.1` restricts
+published ports to localhost only, improving security on desktop installations.
+Note that explicitly specifying a host IP in the `-p` flag (e.g., `-p 192.168.1.10:8000:8000`)
+will always override this default.
+
 ## ENGINE TABLE
 The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
 

common/pkg/config/config.go

@@ -634,6 +634,11 @@ type NetworkConfig struct {
 	// PastaOptions contains a default list of pasta(1) options that should
 	// be used when running pasta.
 	PastaOptions attributedstring.Slice `toml:"pasta_options,omitempty"`
+
+	// DefaultHostIP is the default host IP to bind published container ports
+	// to when no host IP is explicitly specified in the -p flag (e.g., -p 80:80).
+	// If empty, the default behavior is to bind to all interfaces (0.0.0.0).
+	DefaultHostIP string `toml:"default_host_ip,omitempty"`
 }
 
 type SubnetPool struct {

common/pkg/config/containers.conf

@@ -445,6 +445,14 @@ default_sysctls = [
 #
 #pasta_options = []
 
+# The default host IP address to bind published container ports to when no
+# host IP is explicitly specified (e.g., -p 8000:8000). If empty, the default
+# behavior is to bind to all network interfaces (0.0.0.0). For instance,
+# setting this to 127.0.0.1 restricts published ports to localhost only.
+# Note that explicitly specifying a host IP via `-p` will always override this.
+#
+#default_host_ip = ""
+
 [engine]
 # Index to the active service
 #

common/pkg/config/containers.conf-freebsd

@@ -335,6 +335,14 @@ default_sysctls = [
 #
 #network_config_dir = "/usr/local/etc/cni/net.d/"
 
+# The default host IP address to bind published container ports to when no
+# host IP is explicitly specified (e.g., -p 8000:8000). If empty, the default
+# behavior is to bind to all network interfaces (0.0.0.0). For instance,
+# setting this to 127.0.0.1 restricts published ports to localhost only.
+# Note that explicitly specifying a host IP via `-p` will always override this.
+#
+#default_host_ip = ""
+
 [engine]
 # Index to the active service
 #