libpod/: Remove slirp

lsm5 · lsm5 · commit 2c435a0e3379 · 2025-11-21T14:08:25.000-05:00
Signed-off-by: Lokesh Mandvekar &lt;lsm5@redhat.com&gt;
diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go
@@ -125,7 +125,6 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
 
 	maybeMoveToSubCgroup()
 
-	maybeStartServiceReaper()
 	infra.StartWatcher(libpodRuntime)
 	server, err := api.NewServerWithSettings(libpodRuntime, listener, opts)
 	if err != nil {
diff --git a/cmd/podman/system/service_abi_linux.go b/cmd/podman/system/service_abi_linux.go
@@ -5,14 +5,8 @@ package system
 import (
 	"github.com/sirupsen/logrus"
 	"go.podman.io/common/pkg/cgroups"
-	"go.podman.io/common/pkg/servicereaper"
 )
 
-// Currently, we only need servicereaper on Linux to support slirp4netns.
-func maybeStartServiceReaper() {
-	servicereaper.Start()
-}
-
 func maybeMoveToSubCgroup() {
 	if err := cgroups.MaybeMoveToSubCgroup(); err != nil {
 		// it is a best effort operation, so just print the
diff --git a/libpod/container.go b/libpod/container.go
@@ -107,9 +107,6 @@ type Container struct {
 	runtime    *Runtime
 	ociRuntime OCIRuntime
 
-	rootlessSlirpSyncR *os.File
-	rootlessSlirpSyncW *os.File
-
 	rootlessPortSyncR *os.File
 	rootlessPortSyncW *os.File
 
@@ -126,8 +123,7 @@ type Container struct {
 	// This is true if a container is restored from a checkpoint.
 	restoreFromCheckpoint bool
 
-	slirp4netnsSubnet *net.IPNet
-	pastaResult       *pasta.SetupResult
+	pastaResult *pasta.SetupResult
 }
 
 // ContainerState contains the current state of the container
diff --git a/libpod/container_api.go b/libpod/container_api.go
@@ -928,7 +928,7 @@ func (c *Container) Sync() error {
 // reloaded, and existing rules have been wiped out. It is expected that some
 // downtime will result, as the rules are destroyed as part of this process.
 // At present, this only works on root containers; it may be expanded to restart
-// slirp4netns in the future to work with rootless containers as well.
+// pasta(?) in the future to work with rootless containers as well.
 // Requires that the container must be running or created.
 func (c *Container) ReloadNetwork() error {
 	if !c.batched {
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -2262,7 +2262,7 @@ func (c *Container) addResolvConf() error {
 			// add the nameservers from the networks status
 			nameservers = networkNameServers
 		} else {
-			// pasta and slirp4netns have a built in DNS forwarder.
+			// pasta has a built in DNS forwarder.
 			nameservers = c.addSpecialDNS(nameservers)
 		}
 	}
@@ -2318,11 +2318,7 @@ func (c *Container) checkForIPv6(netStatus map[string]types.StatusBlock) bool {
 		}
 	}
 
-	if c.pastaResult != nil {
-		return c.pastaResult.IPv6
-	}
-
-	return c.isSlirp4netnsIPv6()
+	return c.pastaResult.IPv6
 }
 
 // Add a new nameserver to the container's resolv.conf, ensuring that it is the
@@ -2373,7 +2369,7 @@ func getLocalhostHostEntry(c *Container) etchosts.HostEntries {
 }
 
 // getHostsEntries returns the container ip host entries for the correct netmode
-func (c *Container) getHostsEntries() (etchosts.HostEntries, error) {
+func (c *Container) getHostsEntries() etchosts.HostEntries {
 	var entries etchosts.HostEntries
 	names := []string{c.Hostname(), c.config.Name}
 	switch {
@@ -2384,18 +2380,12 @@ func (c *Container) getHostsEntries() (etchosts.HostEntries, error) {
 		if len(c.pastaResult.IPAddresses) > 0 {
 			entries = etchosts.HostEntries{{IP: c.pastaResult.IPAddresses[0].String(), Names: names}}
 		}
-	case c.config.NetMode.IsSlirp4netns():
-		ip, err := getSlirp4netnsIP(c.slirp4netnsSubnet)
-		if err != nil {
-			return nil, err
-		}
-		entries = etchosts.HostEntries{{IP: ip.String(), Names: names}}
 	default:
 		if c.hasNetNone() {
 			entries = etchosts.HostEntries{{IP: "127.0.0.1", Names: names}}
 		}
 	}
-	return entries, nil
+	return entries
 }
 
 func (c *Container) createHostsFile() error {
@@ -2414,10 +2404,7 @@ func (c *Container) addHosts() error {
 		// no host file nothing to do
 		return nil
 	}
-	containerIPsEntries, err := c.getHostsEntries()
-	if err != nil {
-		return fmt.Errorf("failed to get container ip host entries: %w", err)
-	}
+	containerIPsEntries := c.getHostsEntries()
 
 	// Consider container level BaseHostsFile configuration first.
 	// If it is empty, fallback to containers.conf level configuration.
diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go
@@ -296,10 +296,6 @@ func (c *Container) addSpecialDNS(nameservers []string) []string {
 	return nameservers
 }
 
-func (c *Container) isSlirp4netnsIPv6() bool {
-	return false
-}
-
 // check for net=none
 func (c *Container) hasNetNone() bool {
 	return c.state.NetNS == ""
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -22,7 +22,6 @@ import (
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
-	"go.podman.io/common/libnetwork/slirp4netns"
 	"go.podman.io/common/libnetwork/types"
 	"go.podman.io/common/pkg/cgroups"
 	"go.podman.io/common/pkg/config"
@@ -557,7 +556,7 @@ func (c *Container) setCgroupsPath(g *generate.Generator) error {
 	return nil
 }
 
-// addSpecialDNS adds special dns servers for slirp4netns and pasta
+// addSpecialDNS adds special dns servers for pasta
 func (c *Container) addSpecialDNS(nameservers []string) []string {
 	switch {
 	case c.config.NetMode.IsBridge():
@@ -567,42 +566,10 @@ func (c *Container) addSpecialDNS(nameservers []string) []string {
 		}
 	case c.pastaResult != nil:
 		nameservers = append(nameservers, c.pastaResult.DNSForwardIPs...)
-	case c.config.NetMode.IsSlirp4netns():
-		// slirp4netns has a built in DNS forwarder.
-		slirp4netnsDNS, err := slirp4netns.GetDNS(c.slirp4netnsSubnet)
-		if err != nil {
-			logrus.Warn("Failed to determine Slirp4netns DNS: ", err.Error())
-		} else {
-			nameservers = append(nameservers, slirp4netnsDNS.String())
-		}
 	}
 	return nameservers
 }
 
-func (c *Container) isSlirp4netnsIPv6() bool {
-	if c.config.NetMode.IsSlirp4netns() {
-		extraOptions := c.config.NetworkOptions[slirp4netns.BinaryName]
-		options := make([]string, 0, len(c.runtime.config.Engine.NetworkCmdOptions.Get())+len(extraOptions))
-		options = append(options, c.runtime.config.Engine.NetworkCmdOptions.Get()...)
-		options = append(options, extraOptions...)
-
-		// loop backwards as the last argument wins and we can exit early
-		// This should be kept in sync with c/common/libnetwork/slirp4netns.
-		for i := len(options) - 1; i >= 0; i-- {
-			switch options[i] {
-			case "enable_ipv6=true":
-				return true
-			case "enable_ipv6=false":
-				return false
-			}
-		}
-		// default is true
-		return true
-	}
-
-	return false
-}
-
 // check for net=none
 func (c *Container) hasNetNone() bool {
 	if !c.config.CreateNetNS {
diff --git a/libpod/define/info.go b/libpod/define/info.go
@@ -52,13 +52,12 @@ type HostInfo struct {
 	OS                 string            `json:"os"`
 	// RemoteSocket returns the UNIX domain socket the Podman service is listening on
 	RemoteSocket *RemoteSocket `json:"remoteSocket,omitempty"`
-	// RootlessNetworkCmd returns the default rootless network command (slirp4netns or pasta)
+	// RootlessNetworkCmd returns the default rootless network command (pasta)
 	RootlessNetworkCmd string         `json:"rootlessNetworkCmd"`
 	RuntimeInfo        map[string]any `json:"runtimeInfo,omitempty"`
 	// ServiceIsRemote is true when the podman/libpod service is remote to the client
 	ServiceIsRemote bool         `json:"serviceIsRemote"`
 	Security        SecurityInfo `json:"security"`
-	Slirp4NetNS     SlirpInfo    `json:"slirp4netns"`
 	Pasta           PastaInfo    `json:"pasta"`
 
 	SwapFree  int64  `json:"swapFree"`
@@ -76,13 +75,6 @@ type RemoteSocket struct {
 	Exists bool   `json:"exists"`
 }
 
-// SlirpInfo describes the slirp executable that is being used
-type SlirpInfo struct {
-	Executable string `json:"executable"`
-	Package    string `json:"package"`
-	Version    string `json:"version"`
-}
-
 // PastaInfo describes the pasta executable that is being used
 type PastaInfo struct {
 	Executable string `json:"executable"`
diff --git a/libpod/info_linux.go b/libpod/info_linux.go
@@ -16,7 +16,6 @@ import (
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"go.podman.io/common/libnetwork/pasta"
-	"go.podman.io/common/libnetwork/slirp4netns"
 	"go.podman.io/common/pkg/apparmor"
 	"go.podman.io/common/pkg/cgroups"
 	"go.podman.io/common/pkg/seccomp"
@@ -49,27 +48,9 @@ func (r *Runtime) setPlatformHostInfo(info *define.HostInfo) error {
 		SECCOMPProfilePath:  seccompProfilePath,
 		SELinuxEnabled:      selinux.GetEnabled(),
 	}
-	info.Slirp4NetNS = define.SlirpInfo{}
 
 	info.CgroupsVersion = "v2"
 
-	slirp4netnsPath := r.config.Engine.NetworkCmdPath
-	if slirp4netnsPath == "" {
-		slirp4netnsPath, _ = r.config.FindHelperBinary(slirp4netns.BinaryName, true)
-	}
-	if slirp4netnsPath != "" {
-		ver, err := version.Program(slirp4netnsPath)
-		if err != nil {
-			logrus.Warnf("Failed to retrieve program version for %s: %v", slirp4netnsPath, err)
-		}
-		program := define.SlirpInfo{
-			Executable: slirp4netnsPath,
-			Package:    version.Package(slirp4netnsPath),
-			Version:    ver,
-		}
-		info.Slirp4NetNS = program
-	}
-
 	pastaPath, _ := r.config.FindHelperBinary(pasta.BinaryName, true)
 	if pastaPath != "" {
 		ver, err := version.Program(pastaPath)
diff --git a/libpod/networking_common.go b/libpod/networking_common.go
@@ -111,8 +111,7 @@ func (r *Runtime) teardownNetwork(ctr *Container) error {
 		return err
 	}
 
-	if !ctr.config.NetMode.IsSlirp4netns() &&
-		!ctr.config.NetMode.IsPasta() && len(networks) > 0 {
+	if !ctr.config.NetMode.IsPasta() && len(networks) > 0 {
 		netOpts := ctr.getNetworkOptions(networks)
 		return r.teardownNetworkBackend(ctr.state.NetNS, netOpts)
 	}
@@ -134,7 +133,7 @@ func isBridgeNetMode(n namespaces.NetworkMode) error {
 // firewall configuration.
 // Efforts will be made to preserve MAC and IP addresses.
 // Only works on containers with bridge networking at present, though in the future we could
-// extend this to stop + restart slirp4netns
+// extend this to stop + restart pasta (?)
 func (r *Runtime) reloadContainerNetwork(ctr *Container) (map[string]types.StatusBlock, error) {
 	if ctr.state.NetNS == "" {
 		return nil, fmt.Errorf("container %s network is not configured, refusing to reload: %w", ctr.ID(), define.ErrCtrStateInvalid)
diff --git a/libpod/networking_freebsd.go b/libpod/networking_freebsd.go
@@ -7,7 +7,6 @@ import (
 	jdec "encoding/json"
 	"errors"
 	"fmt"
-	"net"
 	"os/exec"
 
 	"github.com/containers/buildah/pkg/jail"
@@ -44,10 +43,6 @@ type NetstatAddress struct {
 	Collisions uint64 `json:"collisions"`
 }
 
-func getSlirp4netnsIP(_ *net.IPNet) (*net.IP, error) {
-	return nil, errors.New("not implemented GetSlirp4netnsIP")
-}
-
 // This is called after the container's jail is created but before its
 // started. We can use this to initialise the container's vnet when we don't
 // have a separate vnet jail (which is the case in FreeBSD 13.3 and later).
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
@@ -29,9 +29,6 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS string) (status map[strin
 			}
 		}
 	}()
-	if ctr.config.NetMode.IsSlirp4netns() {
-		return nil, r.setupSlirp4netns(ctr, ctrNS)
-	}
 	if ctr.config.NetMode.IsPasta() {
 		return nil, r.setupPasta(ctr, ctrNS)
 	}
diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go
@@ -5,7 +5,6 @@ package libpod
 import (
 	"fmt"
 	"io"
-	"net"
 	"os"
 	"path/filepath"
 
@@ -15,44 +14,6 @@ import (
 	"go.podman.io/common/libnetwork/types"
 )
 
-// setupSlirp4netns can be called in rootful as well as in rootless
-func (r *Runtime) setupSlirp4netns(ctr *Container, netns string) error {
-	ports := ctr.convertPortMappings()
-
-	if !ctr.config.PostConfigureNetNS {
-		var err error
-		ctr.rootlessSlirpSyncR, ctr.rootlessSlirpSyncW, err = os.Pipe()
-		if err != nil {
-			return fmt.Errorf("failed to create rootless network sync pipe: %w", err)
-		}
-		if len(ports) > 0 {
-			ctr.rootlessPortSyncR, ctr.rootlessPortSyncW, err = os.Pipe()
-			if err != nil {
-				return fmt.Errorf("failed to create rootless port sync pipe: %w", err)
-			}
-		}
-	}
-	defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncR)
-	if ctr.rootlessPortSyncR != nil {
-		defer errorhandling.CloseQuiet(ctr.rootlessPortSyncR)
-	}
-
-	res, err := slirp4netns.Setup(&slirp4netns.SetupOptions{
-		Config:                r.config,
-		ContainerID:           ctr.ID(),
-		Netns:                 netns,
-		Ports:                 ports,
-		ExtraOptions:          ctr.config.NetworkOptions[slirp4netns.BinaryName],
-		Slirp4netnsExitPipeR:  ctr.rootlessSlirpSyncR,
-		RootlessPortExitPipeR: ctr.rootlessPortSyncR,
-	})
-	if err != nil {
-		return err
-	}
-	ctr.slirp4netnsSubnet = res.Subnet
-	return nil
-}
-
 func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath string, netStatus map[string]types.StatusBlock) error {
 	var err error
 	if !ctr.config.PostConfigureNetNS {
@@ -100,7 +61,3 @@ func (c *Container) reloadRootlessRLKPortMapping() error {
 	}
 	return nil
 }
-
-func getSlirp4netnsIP(subnet *net.IPNet) (*net.IP, error) {
-	return slirp4netns.GetIP(subnet)
-}
diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go
@@ -1170,33 +1170,6 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 		ctr.reservedPorts = nil
 	}
 
-	if ctr.config.NetMode.IsSlirp4netns() || rootless.IsRootless() {
-		if ctr.config.PostConfigureNetNS {
-			havePortMapping := len(ctr.config.PortMappings) > 0
-			if havePortMapping {
-				ctr.rootlessPortSyncR, ctr.rootlessPortSyncW, err = os.Pipe()
-				if err != nil {
-					return 0, fmt.Errorf("failed to create rootless port sync pipe: %w", err)
-				}
-			}
-			ctr.rootlessSlirpSyncR, ctr.rootlessSlirpSyncW, err = os.Pipe()
-			if err != nil {
-				return 0, fmt.Errorf("failed to create rootless network sync pipe: %w", err)
-			}
-		}
-
-		if ctr.rootlessSlirpSyncW != nil {
-			defer errorhandling.CloseQuiet(ctr.rootlessSlirpSyncW)
-			// Leak one end in conmon, the other one will be leaked into slirp4netns
-			cmd.ExtraFiles = append(cmd.ExtraFiles, ctr.rootlessSlirpSyncW)
-		}
-
-		if ctr.rootlessPortSyncW != nil {
-			defer errorhandling.CloseQuiet(ctr.rootlessPortSyncW)
-			// Leak one end in conmon, the other one will be leaked into rootlessport
-			cmd.ExtraFiles = append(cmd.ExtraFiles, ctr.rootlessPortSyncW)
-		}
-	}
 	var runtimeRestoreStarted time.Time
 	if restoreOptions != nil {
 		runtimeRestoreStarted = time.Now()

Original file line number	Diff line number	Diff line change
`@@ -2262,7 +2262,7 @@ func (c *Container) addResolvConf() error {`
`2262`	`2262`	`// add the nameservers from the networks status`
`2263`	`2263`	`nameservers = networkNameServers`
`2264`	`2264`	`} else {`
`2265`		`- // pasta and slirp4netns have a built in DNS forwarder.`
	`2265`	`+ // pasta has a built in DNS forwarder.`
`2266`	`2266`	`nameservers = c.addSpecialDNS(nameservers)`
`2267`	`2267`	`}`
`2268`	`2268`	`}`
`@@ -2318,11 +2318,7 @@ func (c *Container) checkForIPv6(netStatus map[string]types.StatusBlock) bool {`
`2318`	`2318`	`}`
`2319`	`2319`	`}`
`2320`	`2320`
`2321`		`- if c.pastaResult != nil {`
`2322`		`- return c.pastaResult.IPv6`
`2323`		`- }`
`2324`		`-`
`2325`		`- return c.isSlirp4netnsIPv6()`
	`2321`	`+ return c.pastaResult.IPv6`
`2326`	`2322`	`}`
`2327`	`2323`
`2328`	`2324`	`// Add a new nameserver to the container's resolv.conf, ensuring that it is the`
`@@ -2373,7 +2369,7 @@ func getLocalhostHostEntry(c *Container) etchosts.HostEntries {`
`2373`	`2369`	`}`
`2374`	`2370`
`2375`	`2371`	`// getHostsEntries returns the container ip host entries for the correct netmode`
`2376`		`-func (c *Container) getHostsEntries() (etchosts.HostEntries, error) {`
	`2372`	`+func (c *Container) getHostsEntries() etchosts.HostEntries {`
`2377`	`2373`	`var entries etchosts.HostEntries`
`2378`	`2374`	`names := []string{c.Hostname(), c.config.Name}`
`2379`	`2375`	`switch {`
`@@ -2384,18 +2380,12 @@ func (c *Container) getHostsEntries() (etchosts.HostEntries, error) {`
`2384`	`2380`	`if len(c.pastaResult.IPAddresses) > 0 {`
`2385`	`2381`	`entries = etchosts.HostEntries{{IP: c.pastaResult.IPAddresses[0].String(), Names: names}}`
`2386`	`2382`	`}`
`2387`		`- case c.config.NetMode.IsSlirp4netns():`
`2388`		`- ip, err := getSlirp4netnsIP(c.slirp4netnsSubnet)`
`2389`		`- if err != nil {`
`2390`		`- return nil, err`
`2391`		`- }`
`2392`		`- entries = etchosts.HostEntries{{IP: ip.String(), Names: names}}`
`2393`	`2383`	`default:`
`2394`	`2384`	`if c.hasNetNone() {`
`2395`	`2385`	`entries = etchosts.HostEntries{{IP: "127.0.0.1", Names: names}}`
`2396`	`2386`	`}`
`2397`	`2387`	`}`
`2398`		`- return entries, nil`
	`2388`	`+ return entries`
`2399`	`2389`	`}`
`2400`	`2390`
`2401`	`2391`	`func (c *Container) createHostsFile() error {`
`@@ -2414,10 +2404,7 @@ func (c *Container) addHosts() error {`
`2414`	`2404`	`// no host file nothing to do`
`2415`	`2405`	`return nil`
`2416`	`2406`	`}`
`2417`		`- containerIPsEntries, err := c.getHostsEntries()`
`2418`		`- if err != nil {`
`2419`		`- return fmt.Errorf("failed to get container ip host entries: %w", err)`
`2420`		`- }`
	`2407`	`+ containerIPsEntries := c.getHostsEntries()`
`2421`	`2408`
`2422`	`2409`	`// Consider container level BaseHostsFile configuration first.`
`2423`	`2410`	`// If it is empty, fallback to containers.conf level configuration.`