[Podman] Re: How to setup internal and external networking for rootless containers with podman

Gerben, Have you tried rebooting? The rootless network logic is not super robust, it is possible that some tmp files were not removed correctly or the special slirp4netns process for rootless networking died somehow. A reboot should fix this. If it still does not work, please check if `podman unshare --rootless-cni cat /etc/resolv.conf` and `podman unshare --rootless-cni ping 8.8.8.8` works. Paul On Mon, Oct 25, 2021 at 4:55 PM Gerben Venekamp <venekamp(a)gmail.com&gt; wrote: > Paul, > > Unfortunately it does not work for me. > > > podman network create mynet > /home/gerben/.config/cni/net.d/mynet.conflist > > podman network ls > NETWORK ID NAME VERSION PLUGINS > 2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning > 6129a34887d3 container-net 0.4.0 > bridge,portmap,firewall,tuning,dnsname > 11c844f95e28 mynet 0.4.0 > bridge,portmap,firewall,tuning,dnsname > 9bec7ea8f70e nextcloud-net 0.4.0 > bridge,portmap,firewall,tuning,dnsname > gerben@galadriel:~> podman run --rm --network mynet alpine wget -O- > google.com > wget: bad address 'google.com' > > podman --version > podman version 3.3.1 > > I'd be happy to submit a bug report. However, before doing so, I'd like > to be sure the error is not on my side. I am not on a RedHat distribution. > For me it is MicroOS from openSUSE. As you can see I am not on 3.4.0 yet, > however I do not know if I need absolutely need that version for my > use-case to work. > > When using slirp4netns than at least the ping and wget do work. For > example: > > > podman run --rm --network slirp4netns alpine ping 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: seq=0 ttl=255 time=11.148 ms > 64 bytes from 8.8.8.8: seq=1 ttl=255 time=10.746 ms > ^C > --- 8.8.8.8 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max = 10.746/10.947/11.148 ms > > The way I interpret this is that from my host perspective ping and wget > do have all necessary privileges. My assumptions might be wrong of course. > What could I do to debug this further? > > Best Regards, > Gerben > > On Mon, 25 Oct 2021 at 15:00, Paul Holzinger <pholzing(a)redhat.com&gt; wrote: > >> Gerben, >> >> your use case should already work. Only ping needs extra privileges to >> send ICMP packages. >> >> A simple `podman network create mynet` and `podman run --rm --network >> mynet alpine wget -O- google.com` should work. If it does not work >> please report a bug. >> >> Paul >> >> >> On Thu, Oct 21, 2021 at 9:32 PM Gerben Venekamp <venekamp(a)gmail.com&gt; >> wrote: >> >>> Great to hear that the podman team is looking into improving rootless >>> networking. I think it would be great to be able to run services in >>> rootless containers and have both container-to-container and external >>> networking available at the same time. In case of a compromised container >>> the attacker does not have root privileges automatically. >>> >>> With regard to your comment, I should have mentioned that I already >>> have set the ping_group_range to '0 $MAX_UID': >>> >>> > sudo sysctl net.ipv4.ping_group_range >>> net.ipv4.ping_group_range = 0 2147483647 >>> >>> As for both /etc/subuid and /etc/subgid, this is what I have got: >>> > cat /etc/subuid >>> dockremap:100000000:100000001 >>> gerben:1000000:65536 >>> >>> > cat /etc/subgid >>> dockremap:100000000:100000001 >>> gerben:1000000:65536 >>> >>> I have also started to look into Rudolf's workaround: >>> https://lists.podman.io/archives/list/podman@lists.podman.io/thread/W6MCY... >>> This sets up networking outside the context of podman. It does work, >>> but it needs root privileges of course. Personally I don't mind the root >>> privileges for setting up the network namespace. Doing it by hand however >>> is not a very good user experience and it does go against the 'no need for >>> root' philosophy. Haven't figured out how to do this in a better way other >>> than adding a switch to podman that is a call out to a suid network >>> configuration executable. This executable would configure the container >>> network namespace before the container actually runs. Podman cannot do this >>> on its own as it is run without elevated privileges and hence some helper >>> function that has set the suid bit. >>> >>> Looking forward to testing with what the podman team has figured out. >>> Will it be available in podman 4.0 early next year? >>> >>> Best Regards, >>> Gerben >>> >>> >>> On Thu, 21 Oct 2021 at 19:44, Scott McCarty <smccarty(a)redhat.com&gt; >>> wrote: >>> >>>> Gerben, >>>> I "think" we figured out the problem. A bunch of us on the podman >>>> team started hacking on it (thanks to Matt, Nalin, Matt, Brent, etc). I >>>> think we have a work around for now. We're still determining the longer >>>> term solution. I commented in the Stackoverflow, but copying here for ease: >>>> >>>> >>>> ========================================================================================= >>>> I just tried this on RHEL 8 and I was able to reproduce this issue. We >>>> also figured out the issue (I think). Try the following: >>>> >>>> sudo sysctl -w net.ipv4.ping_group_range="0 2147483647" >>>> >>>> You might be being limited by the group range and /etc/subuid >>>> /etc/subgid: >>>> >>>> https://man7.org/linux/man-pages/man7/icmp.7.html >>>> >>>> I'm not sure what the long term solution is yet, but if this works, >>>> you can likely fix it with sysctl for now. >>>> >>>> ========================================================================================= >>>> >>>> Best Regards >>>> Scott M >>>> >>>> On Wed, Oct 20, 2021 at 2:12 PM Gerben Venekamp <venekamp(a)gmail.com&gt; >>>> wrote: >>>> >>>>> I am trying to setup networking in rootless containers. What I would >>>>> like to have is both internal, i.e. container to container, and external, >>>>> e.g. ping 8.8.8.8, inside a single container. I get internal working as >>>>> well as external, however never both at the same time within a single >>>>> container. I have raised this question on stackoverflow as well. The >>>>> question on stackoverflow can be found at: >>>>> https://stackoverflow.com/questions/69636101/how-to-setup-internal-and-ex... >>>>> >>>>> Regards, >>>>> Gerben >>>>> _______________________________________________ >>>>> Podman mailing list -- podman(a)lists.podman.io >>>>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>>>> >>>> >>>> >>>> -- >>>> >>>> -- >>>> >>>> 18 ways to differentiate open source products from upstream suppliers: https://opensource.com/article/21/2/differentiating-products-upstream-sup... >>>> -- >>>> >>>> Scott McCarty >>>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>>> Email: smccarty(a)redhat.com >>>> Phone: 312-660-3535 >>>> Cell: 330-807-1043 >>>> Web: http://crunchtools.com >>>> >>>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> >>