coder
diff --git a/‎agent/agentcontainers/containers_dockercli.go
+53-15 b/‎agent/agentcontainers/containers_dockercli.go
+53-15
diff --git a/‎agent/agentcontainers/containers_internal_test.go
+70-19 b/‎agent/agentcontainers/containers_internal_test.go
+70-19
diff --git a/‎agent/agentcontainers/testdata/container_sameportdiffip/docker_inspect.json
+51 b/‎agent/agentcontainers/testdata/container_sameportdiffip/docker_inspect.json
+51
diff --git a/‎coderd/apidoc/docs.go
+22-1 b/‎coderd/apidoc/docs.go
+22-1
@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"os/user"
 	"slices"
 	"sort"
@@ -379,6 +380,19 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentDevcontainer, []
 	}
 	outs := make([]codersdk.WorkspaceAgentDevcontainer, 0, len(ins))
 
+	// Say you have two containers:
+	//  - Container A with Host IP 127.0.0.1:8000 mapped to container port 8001
+	//  - Container B with Host IP [::1]:8000 mapped to container port 8001
+	// A request to localhost:8000 may be routed to either container.
+	// We don't know which one for sure, so we need to surface this to the user.
+	// Keep track of all host ports we see. If we see the same host port
+	// mapped to multiple containers on different host IPs, we need to
+	// warn the user about this.
+	// Note that we only do this for loopback or unspecified IPs.
+	// We'll assume that the user knows what they're doing if they bind to
+	// a specific IP address.
+	hostPortContainers := make(map[int][]string)
+
 	for _, in := range ins {
 		out := codersdk.WorkspaceAgentDevcontainer{
 			CreatedAt: in.Created,
@@ -387,7 +401,7 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentDevcontainer, []
 			ID:           in.ID,
 			Image:        in.Config.Image,
 			Labels:       in.Config.Labels,
-			Ports:        make([]codersdk.WorkspaceAgentListeningPort, 0),
+			Ports:        make([]codersdk.WorkspaceAgentDevcontainerPort, 0),
 			Running:      in.State.Running,
 			Status:       in.State.String(),
 			Volumes:      make(map[string]string, len(in.Mounts)),
@@ -399,35 +413,43 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentDevcontainer, []
 		portKeys := maps.Keys(in.NetworkSettings.Ports)
 		// Sort the ports for deterministic output.
 		sort.Strings(portKeys)
-		// Each port binding may have multiple entries mapped to the same interface.
-		// Keep track of the ports we've already seen.
-		seen := make(map[int]struct{}, len(in.NetworkSettings.Ports))
+		// If we see the same port bound to both ipv4 and ipv6 loopback or unspecified
+		// interfaces to the same container port, there is no point in adding it multiple times.
+		loopbackHostPortContainerPorts := make(map[int]uint16, 0)
 		for _, pk := range portKeys {
 			for _, p := range in.NetworkSettings.Ports[pk] {
-				_, network, err := convertDockerPort(pk)
+				cp, network, err := convertDockerPort(pk)
 				if err != nil {
 					warns = append(warns, fmt.Sprintf("convert docker port: %s", err.Error()))
 					// Default network to "tcp" if we can't parse it.
 					network = "tcp"
 				}
 				hp, err := strconv.Atoi(p.HostPort)
 				if err != nil {
-					warns = append(warns, fmt.Sprintf("convert docker port: %s", err.Error()))
+					warns = append(warns, fmt.Sprintf("convert docker host port: %s", err.Error()))
 					continue
 				}
-				if hp > 65535 || hp < 0 { // invalid port
-					warns = append(warns, fmt.Sprintf("convert docker port: invalid host port %d", hp))
+				if hp > 65535 || hp < 1 { // invalid port
+					warns = append(warns, fmt.Sprintf("convert docker host port: invalid host port %d", hp))
 					continue
 				}
-				if _, ok := seen[hp]; ok {
-					// We've already seen this port, so skip it.
-					continue
+
+				// Deduplicate host ports for loopback and unspecified IPs.
+				if isLoopbackOrUnspecified(p.HostIP) {
+					if found, ok := loopbackHostPortContainerPorts[hp]; ok && found == cp {
+						// We've already seen this port, so skip it.
+						continue
+					}
+					loopbackHostPortContainerPorts[hp] = cp
+					// Also keep track of the host port and the container ID.
+					hostPortContainers[hp] = append(hostPortContainers[hp], in.ID)
 				}
-				out.Ports = append(out.Ports, codersdk.WorkspaceAgentListeningPort{
-					Network: network,
-					Port:    uint16(hp),
+				out.Ports = append(out.Ports, codersdk.WorkspaceAgentDevcontainerPort{
+					Network:  network,
+					Port:     cp,
+					HostPort: uint16(hp),
+					HostIP:   p.HostIP,
 				})
-				seen[hp] = struct{}{}
 			}
 		}
 
@@ -444,6 +466,13 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentDevcontainer, []
 		outs = append(outs, out)
 	}
 
+	// Check if any host ports are mapped to multiple containers.
+	for hp, ids := range hostPortContainers {
+		if len(ids) > 1 {
+			warns = append(warns, fmt.Sprintf("host port %d is mapped to multiple containers on different interfaces: %s", hp, strings.Join(ids, ", ")))
+		}
+	}
+
 	return outs, warns, nil
 }
 
@@ -471,3 +500,12 @@ func convertDockerPort(in string) (uint16, string, error) {
 		return 0, "", xerrors.Errorf("invalid port format: %s", in)
 	}
 }
+
+// convenience function to check if an IP address is loopback or unspecified
+func isLoopbackOrUnspecified(ips string) bool {
+	nip := net.ParseIP(ips)
+	if nip == nil {
+		return false // technically correct, I suppose
+	}
+	return nip.IsLoopback() || nip.IsUnspecified()
+}
@@ -2,6 +2,7 @@ package agentcontainers
 
 import (
 	"fmt"
+	"math/rand"
 	"os"
 	"path/filepath"
 	"slices"
@@ -438,7 +439,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{},
 					Running:      true,
 					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentListeningPort{},
+					Ports:        []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes:      map[string]string{},
 				},
 			},
@@ -454,7 +455,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{"baz": "zap", "foo": "bar"},
 					Running:      true,
 					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentListeningPort{},
+					Ports:        []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes:      map[string]string{},
 				},
 			},
@@ -470,7 +471,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{},
 					Running:      true,
 					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentListeningPort{},
+					Ports:        []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes: map[string]string{
 						"/tmp/test/a": "/var/coder/a",
 						"/tmp/test/b": "/var/coder/b",
@@ -489,10 +490,12 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{},
 					Running:      true,
 					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentListeningPort{
+					Ports: []codersdk.WorkspaceAgentDevcontainerPort{
 						{
-							Network: "tcp",
-							Port:    12345,
+							Network:  "tcp",
+							Port:     12345,
+							HostPort: 12345,
+							HostIP:   "0.0.0.0",
 						},
 					},
 					Volumes: map[string]string{},
@@ -510,16 +513,60 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{},
 					Running:      true,
 					Status:       "running",
-					Ports: []codersdk.WorkspaceAgentListeningPort{
+					Ports: []codersdk.WorkspaceAgentDevcontainerPort{
 						{
-							Network: "tcp",
-							Port:    12345,
+							Network:  "tcp",
+							Port:     23456,
+							HostPort: 12345,
+							HostIP:   "0.0.0.0",
 						},
 					},
 					Volumes: map[string]string{},
 				},
 			},
 		},
+		{
+			name: "container_sameportdiffip",
+			expect: []codersdk.WorkspaceAgentDevcontainer{
+				{
+					CreatedAt:    time.Date(2025, 3, 11, 17, 56, 34, 842164541, time.UTC),
+					ID:           "a",
+					FriendlyName: "a",
+					Image:        "debian:bookworm",
+					Labels:       map[string]string{},
+					Running:      true,
+					Status:       "running",
+					Ports: []codersdk.WorkspaceAgentDevcontainerPort{
+						{
+							Network:  "tcp",
+							Port:     8001,
+							HostPort: 8000,
+							HostIP:   "0.0.0.0",
+						},
+					},
+					Volumes: map[string]string{},
+				},
+				{
+					CreatedAt:    time.Date(2025, 3, 11, 17, 56, 34, 842164541, time.UTC),
+					ID:           "b",
+					FriendlyName: "b",
+					Image:        "debian:bookworm",
+					Labels:       map[string]string{},
+					Running:      true,
+					Status:       "running",
+					Ports: []codersdk.WorkspaceAgentDevcontainerPort{
+						{
+							Network:  "tcp",
+							Port:     8001,
+							HostPort: 8000,
+							HostIP:   "::",
+						},
+					},
+					Volumes: map[string]string{},
+				},
+			},
+			expectWarns: []string{"host port 8000 is mapped to multiple containers on different interfaces: a, b"},
+		},
 		{
 			name: "container_volume",
 			expect: []codersdk.WorkspaceAgentDevcontainer{
@@ -531,7 +578,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					Labels:       map[string]string{},
 					Running:      true,
 					Status:       "running",
-					Ports:        []codersdk.WorkspaceAgentListeningPort{},
+					Ports:        []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes: map[string]string{
 						"/var/lib/docker/volumes/testvol/_data": "/testvol",
 					},
@@ -552,7 +599,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					},
 					Running: true,
 					Status:  "running",
-					Ports:   []codersdk.WorkspaceAgentListeningPort{},
+					Ports:   []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes: map[string]string{},
 				},
 			},
@@ -571,7 +618,7 @@ func TestConvertDockerInspect(t *testing.T) {
 					},
 					Running: true,
 					Status:  "running",
-					Ports:   []codersdk.WorkspaceAgentListeningPort{},
+					Ports:   []codersdk.WorkspaceAgentDevcontainerPort{},
 					Volumes: map[string]string{},
 				},
 			},
@@ -590,11 +637,12 @@ func TestConvertDockerInspect(t *testing.T) {
 					},
 					Running: true,
 					Status:  "running",
-					Ports: []codersdk.WorkspaceAgentListeningPort{
+					Ports: []codersdk.WorkspaceAgentDevcontainerPort{
 						{
-							Network: "tcp",
-							// Container port 8080 is mapped to 32768 on the host.
-							Port: 32768,
+							Network:  "tcp",
+							Port:     8080,
+							HostPort: 32768,
+							HostIP:   "0.0.0.0",
 						},
 					},
 					Volumes: map[string]string{},
@@ -771,10 +819,13 @@ func fakeContainer(t *testing.T, mut ...func(*codersdk.WorkspaceAgentDevcontaine
 			testutil.GetRandomName(t): testutil.GetRandomName(t),
 		},
 		Running: true,
-		Ports: []codersdk.WorkspaceAgentListeningPort{
+		Ports: []codersdk.WorkspaceAgentDevcontainerPort{
 			{
-				Network: "tcp",
-				Port:    testutil.RandomPortNoListen(t),
+				Network:  "tcp",
+				Port:     testutil.RandomPortNoListen(t),
+				HostPort: testutil.RandomPortNoListen(t),
+				//nolint:gosec // this is a test
+				HostIP: []string{"127.0.0.1", "[::1]", "localhost", "0.0.0.0", "[::]", testutil.GetRandomName(t)}[rand.Intn(6)],
 			},
 		},
 		Status:  testutil.MustRandString(t, 10),
 
@@ -0,0 +1,51 @@
+[
+	{
+		"Id": "a",
+		"Created": "2025-03-11T17:56:34.842164541Z",
+		"State": {
+			"Running": true,
+			"ExitCode": 0,
+			"Error": ""
+		},
+		"Name": "/a",
+		"Mounts": [],
+		"Config": {
+			"Image": "debian:bookworm",
+			"Labels": {}
+		},
+		"NetworkSettings": {
+			"Ports": {
+				"8001/tcp": [
+					{
+						"HostIp": "0.0.0.0",
+						"HostPort": "8000"
+					}
+				]
+			}
+		}
+	},
+	{
+		"Id": "b",
+		"Created": "2025-03-11T17:56:34.842164541Z",
+		"State": {
+			"Running": true,
+			"ExitCode": 0,
+			"Error": ""
+		},
+		"Name": "/b",
+		"Config": {
+			"Image": "debian:bookworm",
+			"Labels": {}
+		},
+		"NetworkSettings": {
+			"Ports": {
+				"8001/tcp": [
+					{
+						"HostIp": "::",
+						"HostPort": "8000"
+					}
+				]
+			}
+		}
+	}
+]