common: no slirp for podman6

common/docs/containers.conf.5.md

@@ -298,9 +298,9 @@ Logging driver for the container. Currently available options are k8s-file, jour
 
 **log_path**=""
 
-Default path for container logs to be stored in. When empty, logs will be stored 
+Default path for container logs to be stored in. When empty, logs will be stored
 in the container's default storage and removed when the container is removed.
-A subdirectory named with the container ID will be created under the specified 
+A subdirectory named with the container ID will be created under the specified
 path, and the log file will have the default name `ctr.log` within that directory.
 This option can be overridden by the `--log-opt` flag.
 
@@ -495,8 +495,8 @@ default_subnet_pools = [
 
 **default_rootless_network_cmd**="pasta"
 
-Configure which rootless network program to use by default. Valid options are
-`slirp4netns` and `pasta` (default).
+Configure which rootless network program to use by default. Only current valid option is
+`pasta` (default).
 
 **network_config_dir**="/etc/cni/net.d/"
 
@@ -675,7 +675,6 @@ The following binaries are searched in these directories:
  - catatonit
  - netavark
  - pasta
- - slirp4netns
 
 Podman machine uses it for these binaries:
  - gvproxy
@@ -776,28 +775,6 @@ create new containers and pods in that namespace. The default namespace is "",
 which corresponds to no namespace. When no namespace is set, all containers
 and pods are visible.
 
-**network_cmd_path**=""
-
-Path to the slirp4netns binary.
-
-**network_cmd_options**=[]
-
-Default options to pass to the slirp4netns binary.
-
-Valid options values are:
-
-  - **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false.
-  - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
-  - **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
-  - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`).
-  - **outbound_addr=INTERFACE**: Specify the outbound interface slirp should bind to (ipv4 traffic only).
-  - **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp should bind to.
-  - **outbound_addr6=INTERFACE**: Specify the outbound interface slirp should bind to (ipv6 traffic only).
-  - **outbound_addr6=IPv6**: Specify the outbound ipv6 address slirp should bind to.
-  - **port_handler=rootlesskit**: Use rootlesskit for port forwarding. Default.
-  Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container network namespace, usually `10.0.2.100`. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
-  - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
-
 **no_pivot_root**=false
 
 Whether to use chroot instead of pivot_root in the runtime.

common/libnetwork/internal/rootlessnetns/netns_linux.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"net"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -18,7 +17,6 @@ import (
 	"github.com/sirupsen/logrus"
 	"go.podman.io/common/libnetwork/pasta"
 	"go.podman.io/common/libnetwork/resolvconf"
-	"go.podman.io/common/libnetwork/slirp4netns"
 	"go.podman.io/common/libnetwork/types"
 	"go.podman.io/common/pkg/config"
 	"go.podman.io/common/pkg/netns"
@@ -38,7 +36,7 @@ const (
 	// infoCacheFile file name for the cache file used to store the rootless netns info.
 	infoCacheFile = "info.json"
 
-	// rootlessNetNsConnPidFile is the name of the rootless netns slirp4netns/pasta pid file.
+	// rootlessNetNsConnPidFile is the name of the rootless netns pasta pid file.
 	rootlessNetNsConnPidFile = "rootless-netns-conn.pid"
 
 	// persistentCNIDir is the directory where the CNI files are stored.
@@ -114,7 +112,7 @@ func (n *Netns) getOrCreateNetns() (ns.NetNS, bool, error) {
 		pidPath := n.getPath(rootlessNetNsConnPidFile)
 		pid, err := readPidFile(pidPath)
 		if err == nil {
-			// quick check if pasta/slirp4netns are still running
+			// quick check if pasta is still running
 			err := unix.Kill(pid, 0)
 			if err == nil {
 				if err := n.deserializeInfo(); err != nil {
@@ -156,14 +154,12 @@ func (n *Netns) getOrCreateNetns() (ns.NetNS, bool, error) {
 		}
 	}
 	switch strings.ToLower(n.config.Network.DefaultRootlessNetworkCmd) {
-	case "", slirp4netns.BinaryName:
-		err = n.setupSlirp4netns(nsPath)
-	case pasta.BinaryName:
+	case "", pasta.BinaryName:
 		err = n.setupPasta(nsPath)
 	default:
 		err = fmt.Errorf("invalid rootless network command %q", n.config.Network.DefaultRootlessNetworkCmd)
 	}
-	// If pasta or slirp4netns fail here we need to get rid of the netns again to not leak it,
+	// If pasta fails here we need to get rid of the netns again to not leak it,
 	// otherwise the next command thinks the netns was successfully setup.
 	if err != nil {
 		if nerr := netns.UnmountNS(nsPath); nerr != nil {
@@ -222,7 +218,7 @@ func (n *Netns) setupPasta(nsPath string) error {
 			return fmt.Errorf("unable to decode pasta PID: %w", err)
 		}
 
-		if err := systemd.MoveRootlessNetnsSlirpProcessToUserSlice(pid); err != nil {
+		if err := systemd.MoveRootlessNetnsProcessToUserSlice(pid); err != nil {
 			// only log this, it is not fatal but can lead to issues when running podman inside systemd units
 			logrus.Errorf("failed to move the rootless netns pasta process to the systemd user.slice: %v", err)
 		}
@@ -253,68 +249,6 @@ func (n *Netns) setupPasta(nsPath string) error {
 	return nil
 }
 
-func (n *Netns) setupSlirp4netns(nsPath string) error {
-	res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{
-		Config:      n.config,
-		ContainerID: "rootless-netns",
-		Netns:       nsPath,
-	})
-	if err != nil {
-		return wrapError("start slirp4netns", err)
-	}
-	// create pid file for the slirp4netns process
-	// this is need to kill the process in the cleanup
-	pid := strconv.Itoa(res.Pid)
-	err = os.WriteFile(n.getPath(rootlessNetNsConnPidFile), []byte(pid), 0o600)
-	if err != nil {
-		return wrapError("write slirp4netns pid file", err)
-	}
-
-	if systemd.RunsOnSystemd() {
-		// move to systemd scope to prevent systemd from killing it
-		err = systemd.MoveRootlessNetnsSlirpProcessToUserSlice(res.Pid)
-		if err != nil {
-			// only log this, it is not fatal but can lead to issues when running podman inside systemd units
-			logrus.Errorf("failed to move the rootless netns slirp4netns process to the systemd user.slice: %v", err)
-		}
-	}
-
-	// build a new resolv.conf file which uses the slirp4netns dns server address
-	resolveIP, err := slirp4netns.GetDNS(res.Subnet)
-	if err != nil {
-		return wrapError("determine default slirp4netns DNS address", err)
-	}
-	nameservers := []string{resolveIP.String()}
-
-	netnsIP, err := slirp4netns.GetIP(res.Subnet)
-	if err != nil {
-		return wrapError("determine default slirp4netns ip address", err)
-	}
-
-	if err := resolvconf.New(&resolvconf.Params{
-		Path: n.getPath(resolvConfName),
-		// fake the netns since we want to filter localhost
-		Namespaces: []specs.LinuxNamespace{
-			{Type: specs.NetworkNamespace},
-		},
-		IPv6Enabled:     res.IPv6,
-		KeepHostServers: true,
-		Nameservers:     nameservers,
-	}); err != nil {
-		return wrapError("create resolv.conf", err)
-	}
-
-	n.info = &types.RootlessNetnsInfo{
-		IPAddresses:   []net.IP{*netnsIP},
-		DnsForwardIps: nameservers,
-	}
-	if err := n.serializeInfo(); err != nil {
-		return wrapError("serialize info", err)
-	}
-
-	return nil
-}
-
 func (n *Netns) cleanupRootlessNetns() error {
 	pidFile := n.getPath(rootlessNetNsConnPidFile)
 	pid, err := readPidFile(pidFile)
@@ -324,7 +258,7 @@ func (n *Netns) cleanupRootlessNetns() error {
 		return nil
 	}
 	if err == nil {
-		// kill the slirp/pasta process so we do not leak it
+		// kill the pasta process so we do not leak it
 		err = unix.Kill(pid, unix.SIGTERM)
 		if err == unix.ESRCH {
 			err = nil