Great to hear that the podman team is looking into improving rootless networking. I think it would be great to be able to run services in rootless containers and have both container-to-container and external networking available at the same time. In case of a compromised container the attacker does not have root privileges automatically.
With regard to your comment, I should have mentioned that I already have set the ping_group_range to '0 $MAX_UID':
> sudo sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0 2147483647
As for both /etc/subuid and /etc/subgid, this is what I have got:
> cat /etc/subuid
> cat /etc/subgid
This sets up networking outside the context of podman. It does work, but it needs root privileges of course. Personally I don't mind the root privileges for setting up the network namespace. Doing it by hand however is not a very good user experience and it does go against the 'no need for root' philosophy. Haven't figured out how to do this in a better way other than adding a switch to podman that is a call out to a suid network configuration executable. This executable would configure the container network namespace before the container actually runs. Podman cannot do this on its own as it is run without elevated privileges and hence some helper function that has set the suid bit.
Looking forward to testing with what the podman team has figured out. Will it be available in podman 4.0 early next year?