9:55 a.m.
Paul,
Unfortunately it does not work for me.
podman network create mynet
/home/gerben/.config/cni/net.d/mynet.conflist
podman network ls
NETWORK ID NAME VERSION
PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
6129a34887d3 container-net 0.4.0
bridge,portmap,firewall,tuning,dnsname
11c844f95e28 mynet 0.4.0
bridge,portmap,firewall,tuning,dnsname
9bec7ea8f70e nextcloud-net 0.4.0
bridge,portmap,firewall,tuning,dnsname
gerben@galadriel:~> podman run --rm --network mynet alpine wget -O-
google.com
wget: bad address 'google.com'
podman --version
podman version 3.3.1
I'd be happy to submit a bug report. However, before doing so, I'd like to
be sure the error is not on my side. I am not on a RedHat distribution. For
me it is MicroOS from openSUSE. As you can see I am not on 3.4.0 yet,
however I do not know if I need absolutely need that version for my
use-case to work.
When using slirp4netns than at least the ping and wget do work. For example:
podman run --rm --network slirp4netns alpine ping 8.8.8.8
PING
8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=255 time=11.148 ms
64 bytes from 8.8.8.8: seq=1 ttl=255 time=10.746 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 10.746/10.947/11.148 ms
The way I interpret this is that from my host perspective ping and wget do
have all necessary privileges. My assumptions might be wrong of course.
What could I do to debug this further?
Best Regards,
Gerben
On Mon, 25 Oct 2021 at 15:00, Paul Holzinger <pholzing(a)redhat.com> wrote:
Gerben,
your use case should already work. Only ping needs extra privileges to
send ICMP packages.
A simple `podman network create mynet` and `podman run --rm --network
mynet alpine wget -O- google.com` should work. If it does not work please
report a bug.
Paul
On Thu, Oct 21, 2021 at 9:32 PM Gerben Venekamp <venekamp(a)gmail.com>
wrote:
> Great to hear that the podman team is looking into improving rootless
> networking. I think it would be great to be able to run services in
> rootless containers and have both container-to-container and external
> networking available at the same time. In case of a compromised container
> the attacker does not have root privileges automatically.
>
> With regard to your comment, I should have mentioned that I already have
> set the ping_group_range to '0 $MAX_UID':
>
> > sudo sysctl net.ipv4.ping_group_range
> net.ipv4.ping_group_range = 0 2147483647
>
> As for both /etc/subuid and /etc/subgid, this is what I have got:
> > cat /etc/subuid
> dockremap:100000000:100000001
> gerben:1000000:65536
>
> > cat /etc/subgid
> dockremap:100000000:100000001
> gerben:1000000:65536
>
> I have also started to look into Rudolf's workaround:
>
https://lists.podman.io/archives/list/podman@lists.podman.io/thread/W6MCY...
> This sets up networking outside the context of podman. It does work, but
> it needs root privileges of course. Personally I don't mind the root
> privileges for setting up the network namespace. Doing it by hand however
> is not a very good user experience and it does go against the 'no need for
> root' philosophy. Haven't figured out how to do this in a better way other
> than adding a switch to podman that is a call out to a suid network
> configuration executable. This executable would configure the container
> network namespace before the container actually runs. Podman cannot do this
> on its own as it is run without elevated privileges and hence some helper
> function that has set the suid bit.
>
> Looking forward to testing with what the podman team has figured out.
> Will it be available in podman 4.0 early next year?
>
> Best Regards,
> Gerben
>
>
> On Thu, 21 Oct 2021 at 19:44, Scott McCarty <smccarty(a)redhat.com> wrote:
>
>> Gerben,
>> I "think" we figured out the problem. A bunch of us on the podman
>> team started hacking on it (thanks to Matt, Nalin, Matt, Brent, etc). I
>> think we have a work around for now. We're still determining the longer
>> term solution. I commented in the Stackoverflow, but copying here for ease:
>>
>>
>>
=========================================================================================
>> I just tried this on RHEL 8 and I was able to reproduce this issue. We
>> also figured out the issue (I think). Try the following:
>>
>> sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
>>
>> You might be being limited by the group range and /etc/subuid
>> /etc/subgid:
>>
>> https://man7.org/linux/man-pages/man7/icmp.7.html
>>
>> I'm not sure what the long term solution is yet, but if this works, you
>> can likely fix it with sysctl for now.
>>
>>
=========================================================================================
>>
>> Best Regards
>> Scott M
>>
>> On Wed, Oct 20, 2021 at 2:12 PM Gerben Venekamp <venekamp(a)gmail.com>
>> wrote:
>>
>>> I am trying to setup networking in rootless containers. What I would
>>> like to have is both internal, i.e. container to container, and external,
>>> e.g. ping 8.8.8.8, inside a single container. I get internal working as
>>> well as external, however never both at the same time within a single
>>> container. I have raised this question on stackoverflow as well. The
>>> question on stackoverflow can be found at:
>>>
https://stackoverflow.com/questions/69636101/how-to-setup-internal-and-ex...
>>>
>>> Regards,
>>> Gerben
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>>>
>>
>>
>> --
>>
>> --
>>
>> 18 ways to differentiate open source products from upstream suppliers:
https://opensource.com/article/21/2/differentiating-products-upstream-sup...
>> --
>>
>> Scott McCarty
>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift
>> Email: smccarty(a)redhat.com
>> Phone: 312-660-3535
>> Cell: 330-807-1043
>> Web: http://crunchtools.com
>>
>> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>