common/libnetwork/internal/rootlessnetns: Remove CNI

lsm5 · lsm5 · commit 48e90252dccc · 2025-10-26T15:18:30.000-04:00
Signed-off-by: Lokesh Mandvekar &lt;lsm5@redhat.com&gt;
diff --git a/common/libnetwork/internal/rootlessnetns/netns.go b/common/libnetwork/internal/rootlessnetns/netns.go
@@ -4,5 +4,4 @@ type NetworkBackend int
 
 const (
 	Netavark NetworkBackend = iota
-	CNI
 )
diff --git a/common/libnetwork/internal/rootlessnetns/netns_linux.go b/common/libnetwork/internal/rootlessnetns/netns_linux.go
@@ -22,7 +22,6 @@ import (
 	"go.podman.io/common/pkg/netns"
 	"go.podman.io/common/pkg/systemd"
 	"go.podman.io/storage/pkg/fileutils"
-	"go.podman.io/storage/pkg/homedir"
 	"go.podman.io/storage/pkg/lockfile"
 	"golang.org/x/sys/unix"
 )
@@ -39,9 +38,6 @@ const (
 	// rootlessNetNsConnPidFile is the name of the rootless netns pasta pid file.
 	rootlessNetNsConnPidFile = "rootless-netns-conn.pid"
 
-	// persistentCNIDir is the directory where the CNI files are stored.
-	persistentCNIDir = "/var/lib/cni"
-
 	tmpfs          = "tmpfs"
 	none           = "none"
 	resolvConfName = "resolv.conf"
@@ -288,11 +284,9 @@ func (n *Netns) setupMounts() error {
 	// Because the plugins also need access to XDG_RUNTIME_DIR/netns some special setup is needed.
 
 	// The following bind mounts are needed
-	// 1. XDG_RUNTIME_DIR -> XDG_RUNTIME_DIR/rootless-netns/XDG_RUNTIME_DIR
-	// 2. /run/systemd -> XDG_RUNTIME_DIR/rootless-netns/run/systemd (only if it exists)
-	// 3. XDG_RUNTIME_DIR/rootless-netns/resolv.conf -> /etc/resolv.conf or XDG_RUNTIME_DIR/rootless-netns/run/symlink/target
-	// 4. XDG_RUNTIME_DIR/rootless-netns/var/lib/cni -> /var/lib/cni (if /var/lib/cni does not exist, use the parent dir)
-	// 5. XDG_RUNTIME_DIR/rootless-netns/run -> /run
+	// 1. /run/systemd -> XDG_RUNTIME_DIR/rootless-netns/run/systemd (only if it exists)
+	// 2. XDG_RUNTIME_DIR/rootless-netns/resolv.conf -> /etc/resolv.conf or XDG_RUNTIME_DIR/rootless-netns/run/symlink/target
+	// 3. XDG_RUNTIME_DIR/rootless-netns/run -> /run
 
 	// Create a new mount namespace,
 	// this must happen inside the netns thread.
@@ -313,19 +307,7 @@ func (n *Netns) setupMounts() error {
 		return wrapError("set mount propagation to slave in new mount namespace", err)
 	}
 
-	xdgRuntimeDir, err := homedir.GetRuntimeDir()
-	if err != nil {
-		return fmt.Errorf("could not get runtime directory: %w", err)
-	}
-	newXDGRuntimeDir := n.getPath(xdgRuntimeDir)
-	// 1. Mount the netns into the new run to keep them accessible.
-	// Otherwise cni setup will fail because it cannot access the netns files.
-	err = mountAndMkdirDest(xdgRuntimeDir, newXDGRuntimeDir, none, unix.MS_BIND|unix.MS_REC)
-	if err != nil {
-		return err
-	}
-
-	// 2. Also keep /run/systemd if it exists.
+	// 1. Also keep /run/systemd if it exists.
 	// Many files are symlinked into this dir, for example /dev/log.
 	runSystemd := "/run/systemd"
 	err = fileutils.Exists(runSystemd)
@@ -337,7 +319,7 @@ func (n *Netns) setupMounts() error {
 		}
 	}
 
-	// 3. On some distros /etc/resolv.conf is symlinked to somewhere under /run.
+	// 2. On some distros /etc/resolv.conf is symlinked to somewhere under /run.
 	// Because the kernel will follow the symlink before mounting, it is not
 	// possible to mount a file at /etc/resolv.conf. We have to ensure that
 	// the link target will be available in the mount ns.
@@ -435,14 +417,7 @@ func (n *Netns) setupMounts() error {
 		return wrapError(fmt.Sprintf("mount resolv.conf to %q", resolvePath), err)
 	}
 
-	// 4. CNI plugins need access to /var/lib/cni
-	if n.backend == CNI {
-		if err := n.mountCNIVarDir(); err != nil {
-			return err
-		}
-	}
-
-	// 5. Mount the new prepared run dir to /run, it has to be recursive to keep the other bind mounts.
+	// 3. Mount the new prepared run dir to /run, it has to be recursive to keep the other bind mounts.
 	runDir := n.getPath("run")
 	err = os.MkdirAll(runDir, 0o700)
 	if err != nil {
@@ -464,36 +439,6 @@ func (n *Netns) setupMounts() error {
 	return nil
 }
 
-func (n *Netns) mountCNIVarDir() error {
-	varDir := ""
-	varTarget := persistentCNIDir
-	// we can only mount to a target dir which exists, check /var/lib/cni recursively
-	// while we could always use /var there are cases where a user might store the cni
-	// configs under /var/custom and this would break
-	for {
-		if err := fileutils.Exists(varTarget); err == nil {
-			varDir = n.getPath(varTarget)
-			break
-		}
-		varTarget = filepath.Dir(varTarget)
-		if varTarget == "/" {
-			break
-		}
-	}
-	if varDir == "" {
-		return errors.New("failed to stat /var directory")
-	}
-	if err := os.MkdirAll(varDir, 0o700); err != nil {
-		return wrapError("create var dir", err)
-	}
-	// make sure to mount var first
-	err := unix.Mount(varDir, varTarget, none, unix.MS_BIND, "")
-	if err != nil {
-		return wrapError(fmt.Sprintf("mount %q to %q", varDir, varTarget), err)
-	}
-	return nil
-}
-
 func (n *Netns) runInner(toRun func() error, cleanup bool) (err error) {
 	nsRef, newNs, err := n.getOrCreateNetns()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,4 @@ type NetworkBackend int`
`4`	`4`
`5`	`5`	`const (`
`6`	`6`	`Netavark NetworkBackend = iota`
`7`		`- CNI`
`8`	`7`	`)`