3:49 p.m.
On 2021-03-24 20:06, lejeczek via Podman wrote:
On 24/03/2021 15:24, Matt Heon wrote:
>On 2021-03-23 18:23, lejeczek via Podman wrote:
>>Hi guys.
>>
>>I suppose not since I see this:
>>
>>-> $ podman container start alpine
>>WARN[0000] Failed to add podman to systemd sandbox cgroup: dial
>>unix
>>/run/user/0/bus: connect: permission denied
>>ERRO[0000] error starting some container dependencies
>>ERRO[0000] "command rootless-cni-infra [alloc
>>ab3ff4b8851d42203b745987183c5b0c9255be3a127c488550c7d9305dcff3a2
>>
>>host_for-cni chatter-drunk 10.0.2.26?? ] in container
>>f086e66e64767efbac7aded808e1dcd18b27a203a0f1e2a1b711137706ba64c4
>>
>>failed with status 1, stdout=\"\", stderr=\"Link not
found\\n\""
>>Error: unable to start container
>>"e65d59606f8fbb83165911de31c9977776e341bfc620e132e94e6c30c37fc6be":
>>
>>error starting some containers: internal libpod error
>>
>>unless it's a bug of some sort, but if limitation by design - is
>>it
>>possible to overcome/tweak it and have a "regular" user create and
>>use
>>macvlan network such as here:
>>
>
>Unfortunately, no. Rootless users don't have sufficient permissions
>to
>use a conventional network stack. While we are not allowing CNI with
>rootless Podman, this is for internal bridge networks only - it's
>still entirely segregated from the host's network interfaces.
>
>Thanks,
>Matt Heon
Thanks for clarifying - I do not suppose that is something would
change in the future?
Unlikely. There has been talk about using lxc-user-nic, a setuid
binary, to do some rootless network setup, which would give us some
elevated privileges; but even then, macvlan is not workable.
And that also goes for: "portmap" (network rootless podman
creates by
default) - when rootful, where there is "gateway" will create a
'cni-podman0' iface whereas rootless does not for is not capable,
which is by design - right?
Rootless containers joining CNI networks will have a network created,
but it's only for communicating with other rootless containers - the
host can't see it.
This is something that lxc-user-nic might be able to help with, though.
Thanks,
Matt Heon
many thanks, L
>
>>{
>>?????? "cniVersion": "0.4.0",
>>?????? "name": "host_for-cni",
>>?????? "plugins": [
>>?????????????? {
>>?????????????????????? "ipam": {
>>?????????????????????????????? "ranges": [
>>?????????????????????????????????????? [
>>?????????????????????????????????????????????? {
>>?????????????????????????????????????????????????????? "gateway":
>>"10.0.2.254",
>>?????????????????????????????????????????????????????? "rangeEnd":
>>"10.0.2.254",
>>??????????????????????????????????????????????????????
>>"rangeStart": "10.0.2.2",
>>?????????????????????????????????????????????????????? "subnet":
>>"10.0.2.0/24"
>>?????????????????????????????????????????????? }
>>?????????????????????????????????????? ]
>>?????????????????????????????? ],
>>?????????????????????????????? "routes": [
>>?????????????????????????????????????? {
>>?????????????????????????????????????????????? "dst":
"0.0.0.0/0"
>>?????????????????????????????????????? }
>>?????????????????????????????? ],
>>?????????????????????????????? "type": "host-local"
>>?????????????????????? },
>>?????????????????????? "master": "eth3",
>>?????????????????????? "type": "macvlan"
>>?????????????? },
>>?????????????? {
>>?????????????????????? "capabilities": {
>>?????????????????????????????? "mac": true
>>?????????????????????? },
>>?????????????????????? "type": "tuning"
>>?????????????? }
>>?????? ]
>>}
>>
>>many thanks, L.
>>_______________________________________________
>>Podman mailing list -- podman(a)lists.podman.io
>>To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io