Great to hear that the podman team is looking into improving rootless networking. I think it would be great to be able to run services in rootless containers and have both container-to-container and external networking available at the same time. In case of a compromised container the attacker does not have root privileges automatically.

With regard to your comment, I should have mentioned that I already have set the ping_group_range to '0 $MAX_UID':

> sudo sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0 2147483647

As for both /etc/subuid and /etc/subgid, this is what I have got:
> cat /etc/subuid
dockremap:100000000:100000001
gerben:1000000:65536

> cat /etc/subgid
dockremap:100000000:100000001
gerben:1000000:65536

I have also started to look into Rudolf's workaround: https://lists.podman.io/archives/list/podman@lists.podman.io/thread/W6MCYO6RY5YFRTSUDAOEZA7SC2EFXRZE/
This sets up networking outside the context of podman. It does work, but it needs root privileges of course. Personally I don't mind the root privileges for setting up the network namespace. Doing it by hand however is not a very good user experience and it does go against the 'no need for root' philosophy. Haven't figured out how to do this in a better way other than adding a switch to podman that is a call out to a suid network configuration executable. This executable would configure the container network namespace before the container actually runs. Podman cannot do this on its own as it is run without elevated privileges and hence some helper function that has set the suid bit.

Looking forward to testing with what the podman team has figured out. Will it be available in podman 4.0 early next year?

Best Regards,
Gerben


On Thu, 21 Oct 2021 at 19:44, Scott McCarty <smccarty@redhat.com> wrote:
Gerben,
     I "think" we figured out the problem. A bunch of us on the podman team started hacking on it (thanks to Matt, Nalin, Matt, Brent, etc). I think we have a work around for now. We're still determining the longer term solution. I commented in the Stackoverflow, but copying here for ease:

=========================================================================================
I just tried this on RHEL 8 and I was able to reproduce this issue. We also figured out the issue (I think). Try the following:

sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"

You might be being limited by the group range and /etc/subuid /etc/subgid:

https://man7.org/linux/man-pages/man7/icmp.7.html

I'm not sure what the long term solution is yet, but if this works, you can likely fix it with sysctl for now.

=========================================================================================

Best Regards
Scott M

On Wed, Oct 20, 2021 at 2:12 PM Gerben Venekamp <venekamp@gmail.com> wrote:
I am trying to setup networking in rootless containers. What I would like to have is both internal, i.e. container to container, and external, e.g. ping 8.8.8.8, inside a single container. I get internal working as well as external, however never both at the same time within a single container. I have raised this question on stackoverflow as well. The question on stackoverflow can be found at: https://stackoverflow.com/questions/69636101/how-to-setup-internal-and-external-networking-for-rootless-containers-with-podma

Regards,
Gerben
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io


-- 
--
18 ways to differentiate open source products from upstream suppliers: https://opensource.com/article/21/2/differentiating-products-upstream-suppliers 
--
Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty@redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com